The bloat.yml
GitHub workflow in linebender/druid, linebender/runebender and linebender/norad is vulnerable to unauthorized modification of the base repository or secrets exfiltration.
linebender/druid repository
linebender/runebender repository
linebender/norad repository
The latest version of bloat.yml
to the date.
When a user comments on a pull request it triggers the following workflow, that checks out the pull request and builds the potentially untrusted code:
on:
issue_comment:
types: [created, edited]
...
# if it isn't an issue comment run every time, otherwise only run if the comment starts with '/bloat'
if: (!startsWith(github.event_name, 'issue_comment') || startsWith(github.event.comment.body, '/bloat'))
steps:
...
- name: build head
if: steps.get_revs.outputs.base != steps.get_revs.outputs.head
uses: actions-rs/cargo@v1
with:
command: build
args: --release --examples
The triggered workflow has access to the write repository token and secrets. The vulnerability allows for unauthorized modification of the base repository and secrets exfiltration.
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at [email protected]
, please include a reference to GHSL-2021-048
in any communication regarding this issue.