The team behind Google’s Project Zero has revealed a safety charity at Github. Project Zero Spurt Weak points and errors in Google’s own software as well as in software developed by other companies. Vulnerabilities have been identified, the security team passes directly to the providers. Afterwards, the affected are 90 days to fix the errors before they are released to the openity.
The found vulnerability classifies the Project Zero as high. The core of the problem is that the workflow commands, which serve as a communication channel between the programs and the action runner, are probably extremely accurate for injection attacks in Github Actions. In this procedure, attackers do not give a program non-trustworthy content that the system is responsible and the states can.
No quick solution of the problem
The Finder of the Safety Chuck, Felix Wilhelm, describes his find as follows: Since the Runner process parses every line at stdout (standard data streams) in search of workflow commands, each Github Action is progressive, which is not trustworthy content in the context of its Execution ies. In most cases, the possibility to set any environment variables to remote code execution as soon as another workflow is executed. Remote Code Execution describes the possibility of an attacker from remotely to computers and end devices and to perform changes through and / or software. Wilhelm have spent some time to view any Github repositories, and almost every project with more complex Github actions is consistent for this error class.
A quick solution for the problem he does not see, as the way workflow commands are implemented are fundamentally insecure. A short-term solution of the Best of which to discard the command syntax, whereas a long-term solution in it to relocate workflow commands into a channel outside the output channel, but also other parts of the dependent code has been affected.
The 90 days are around
According to the timeline in "IE 2070" The Project Zero has already been this security chart on 21. July 2020 discovered. The project always preserves the provider 90 days to fix the error before they are released to the publicity. The deadline for Github ended on the 18th. October.
The activities of the software hosters to resolve security chat did not agree with the standard procedure of Project Zero for disclosure above, so that the security team with the vulnerability and a proof-of-concept code made to be made to the openness. Further information can be found in the contribution of Project Zero.