Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline.
The bug in GitHub's Actions feature – a developer workflow automation tool – has become one of the rare vulnerabilities that wasn't properly fixed before Google Project Zero's (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google's hackers[1].
GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug.
SEE: Virtual hiring tips for job seekers and recruiters (free PDF)[2] (TechRepublic)
As detailed in a disclosure timeline by GPZ's Felix Wilhelm[3], the Google security team reported the issue to GitHub's security on July 21 and a disclosure date was set for October 18.
According to Wilhelm, Actions' workflow commands are "highly vulnerable to injection attacks".
"As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed," wrote Wilhelm.
"I've spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class."
GitHub issued an advisory on October 1[4] and deprecated the vulnerable commands, but argued that what Wilhelm had found was in fact a "moderate security vulnerability". GitHub assigned the bug the tracking identifier