Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Mitigate command injection risk in GitHub Actions workflow #3008

Open
rohanday3 opened this issue Sep 16, 2024 · 1 comment · May be fixed by #3009
Open

fix: Mitigate command injection risk in GitHub Actions workflow #3008

rohanday3 opened this issue Sep 16, 2024 · 1 comment · May be fixed by #3009

Comments

@rohanday3
Copy link

rohanday3 commented Sep 16, 2024

What happens?

A command injection vulnerability exists in the GitHub Actions workflow. The workflow may execute unintended commands on the GitHub Actions runner when an issue is created or edited with a specially crafted title or body. This happens because user inputs are interpolated directly into run commands without proper sanitization.

Mini Showcase Repository (REQUIRED)

N/A (This issue is related to the current repository.)

How To Reproduce

Steps to reproduce the behavior:

https://github.com/rohanday3/qiankun

  1. Create a new issue in the repository with the following title:

    • Issue Title: ";{echo,ZWNobyAiSW5qZWN0ZWQgQ29tbWFuZDogJChscyki}|{base64,-d}|{bash,-i};echo"
  2. Observe the GitHub Actions workflow logs to verify if the injected command is executed. You should see output from the command if the injection is successful.

Expected Behavior

The workflow should safely handle user inputs by escaping or sanitizing them, preventing the execution of any injected commands.

Context

  • qiankun Version: N/A
  • Platform Version: GitHub Actions
  • Browser Version: N/A

Additional Information

The provided payload demonstrates how command injection can occur when inputs are not properly sanitized. The example uses a base64-encoded payload to inject and execute commands in the workflow. Please refer to GitHub's security guidelines for more information on securing workflows: Security Hardening for GitHub Actions.

@DavidBakerEffendi

Copy link

由于缺乏足够的信息(github、stackblitz、codesandbox等可复现仓库),我们暂时关闭了该 Issue。请修改(不要回复) Issue 提供最小重现以重新开启。谢谢。如果只是单独的技术咨询,可移步 https://qiankun.umijs.org/#-community 交流~

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 16, 2024
@github-actions github-actions bot reopened this Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant