AndreaGriffiths11
commented
8 months ago @NaorYaa thank you very much for being amazing and so proactively identifying and helping remediate this!
Closed NaorYaa closed 8 months ago
AndreaGriffiths11
commented
8 months ago @NaorYaa thank you very much for being amazing and so proactively identifying and helping remediate this!
NaorYaa
commented
8 months ago You are welcome @AndreaGriffiths11, my pleasure. Have a great week ahead :)
You are using a variable which can be controlled by user input, and it may result in command execution on your runners, and secrets extraction by malicious actors.
Since the ${{ github.event.issue.body }} value can be controlled by the user who creates the issue, a malicious actor can inject system command that will run on the GitHub runner while the workflow is in progress and fetch sensitive data which stored there such as GitHub token with write permissions.
More info: https://securitylab.github.com/research/github-actions-untrusted-input/ Example for such scenario: https://github.com/githubevents/open-source-friday/actions/runs/6530510920/job/17729928317