GitHub has fixed a severe security vulnerability, reported by Google Project Zero researchers about three months ago. The flaw affected GitHub’s Actions feature, a developer workflow automation tool, and was discovered by Felix Wilhelm.
In the researcher’s own words, the bug was highly susceptible to injection attacks, although GitHub argued it was moderate. Google published details about the vulnerability 194 days after the initial report.
More about the GitHub’s Injection Attacks Vulnerability
Project Zero typically discloses information about any flaws in 90 days after the original report. It is noteworthy that by November 2, GitHub had exceeded the period. Shortly before the end of the extended disclosure deadline, GitHub said it wouldn’t disable the vulnerable tool and asked for an extension of 48 hours.
During these hours, GitHub intended to inform its customers about the issue and outline a date to resolve it in the future. Following these events, Google went public with the vulnerability, 104 days after the initial report.
The good news is that GitHub finally fixed the bug last week, following Wilhelm’s advice for disabling the tool’s old runner commands – set-env and add-path.
The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed, said Wilhelm in his original bug report.
Shortly said, the ability to set arbitrary environment variables could lead to remote code execution. The attack could happen once another workflow is executed, the researcher explained. Wilhelm has now confirmed that GitHub’s bug is finally fixed.
In October, GitHub added a code-scanning feature to detect security vulnerabilities. The feature was first announced during the GitHub Satellite conference. First available to beat testers, the feature has now been used more than 1.4 million times on over 12,000 repositories. As a result of the scans, more than 20,000 vulnerabilities have been identified. Discovered security flaws include remote code execution, SQL injection, and cross-site scripting issues.