GitHub has fixed a high severity security flaw that has been reported to it by Google Project Zero more than three months ago.
The security flaw affects GitHub’s Actions feature – a developer workflow automation tool – which was highly vulnerable to injection attacks.
GitHub’s Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.
According to Google Project Zero’s Felix Wilhelm, who reported the security flaw, the way workflow commands are implemented is “fundamentally insecure”.
Even though Google has described it as a ‘high severity’ bug, GitHub claimed it to be a ‘moderate security vulnerability’.
Usually Google Project Zero discloses any flaws found by it 90 days after reporting them. At the start of November, Google publicly disclosed the security issue, as GitHub failed to fix it in 104 days which is more than the standard time frame.
However, this has put some pressure on the company and now the vulnerability has been patched. Last week they addressed the issue by disabling the feature’s old runner commands, “set-env” and “add-path”, as per Wilhelm’s suggestion.
The fix was implemented on November 16, or two weeks after Wilhelm publicly disclosed the issue.
Wilhelm noted in his bug report that Github’s action runner command “set-env” can be used to define arbitrary environment variables as part of a workflow step. But the big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable.
After GitHub has fixed the issue, it has now been validated by the Google Project Zero team, and has been marked as such on the issue repository.