The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1
. If you are unable to upgrade the @actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_
before calling core.exportVariable
.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Toolkit | Github | * | 1.9.1 (excluding) |
Command injection vulnerabilities typically occur when:
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. Command injection is a common problem with wrapper programs.