You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A command injection vulnerability exists in the GitHub Actions workflow. The workflow may execute unintended commands on the GitHub Actions runner when an issue is created or edited with a specially crafted title or body. This happens because user inputs are interpolated directly into run commands without proper sanitization.
Mini Showcase Repository (REQUIRED)
N/A (This issue is related to the current repository.)
Observe the GitHub Actions workflow logs to verify if the injected command is executed. You should see output from the command if the injection is successful.
Expected Behavior
The workflow should safely handle user inputs by escaping or sanitizing them, preventing the execution of any injected commands.
Context
qiankun Version: N/A
Platform Version: GitHub Actions
Browser Version: N/A
Additional Information
The provided payload demonstrates how command injection can occur when inputs are not properly sanitized. The example uses a base64-encoded payload to inject and execute commands in the workflow. Please refer to GitHub's security guidelines for more information on securing workflows: Security Hardening for GitHub Actions.
What happens?
A command injection vulnerability exists in the GitHub Actions workflow. The workflow may execute unintended commands on the GitHub Actions runner when an issue is created or edited with a specially crafted title or body. This happens because user inputs are interpolated directly into run commands without proper sanitization.
Mini Showcase Repository (REQUIRED)
N/A (This issue is related to the current repository.)
How To Reproduce
Steps to reproduce the behavior:
https://github.com/rohanday3/qiankun
Create a new issue in the repository with the following title:
";{echo,ZWNobyAiSW5qZWN0ZWQgQ29tbWFuZDogJChscyki}|{base64,-d}|{bash,-i};echo"
Observe the GitHub Actions workflow logs to verify if the injected command is executed. You should see output from the command if the injection is successful.
Expected Behavior
The workflow should safely handle user inputs by escaping or sanitizing them, preventing the execution of any injected commands.
Context
Additional Information
The provided payload demonstrates how command injection can occur when inputs are not properly sanitized. The example uses a base64-encoded payload to inject and execute commands in the workflow. Please refer to GitHub's security guidelines for more information on securing workflows: Security Hardening for GitHub Actions.
@DavidBakerEffendi
The text was updated successfully, but these errors were encountered: