Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command Injection via the .env file #5

Open
nikitastupin opened this issue Jan 23, 2022 · 0 comments
Open

Command Injection via the .env file #5

nikitastupin opened this issue Jan 23, 2022 · 0 comments

Comments

@nikitastupin
Copy link

Hi @c-py,

The action is vulnerable to a command injection vulnerability. This makes workflows that use the action in pull_request_target and other contexts with read/write access vulnerable.

You may contact me @nikitastupin on Telegram or _nikitastupin on Twitter if you have questions or doubts.

P.S. I tried to find a private channel of communication with no luck so the only way was to fill the issue publicly.

Steps to Reproduce

Create the .env file with the following contents:

TEST='"; echo "untrusted code execution!" >&2 #'

Run ./dotenv.sh script. You should see the following output:

untrusted code execution!
dotenv.sh: line 66: $GITHUB_ENV: ambiguous redirect

Remediation

I would suggest to avoid using eval as part of the action logic.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nikitastupin