Coordinated Disclosure Timeline

Summary

The ‘pr_title.yml’ GitHub workflow is vulnerable to arbitrary command injection.

Product

aws/aws-sam-cli GitHub repository

Tested Version

pr_title.yml

Details

Issue: The title of public GitHub pull request is used to format a shell command

A Pull Request title is used to format a bash script:

name: Check PR title
on:
  pull_request:
    types: [opened, edited]
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - name: Check PR title
        run: |
          title="${{ github.event.pull_request.title }}"
          if [[ ! $title =~ ^.*:\ .*$ ]]; then
            echo "Pull request titles must adhere to Conventional Commits: https://www.conventionalcommits.org"
            exit 1
          fi

Impact

This vulnerability allows for arbitrary command injection into the bash script. For a proof a concept a Pull Request with the following title title"; exit 0 # would return early.

Workflows triggered by pull_request have limited repository token and no access to secrets. The attacker couldn’t do much except CI DoS attacks or running their own code in the context of the GitHub action runner.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-230 in any communication regarding this issue.