[BUG] Security Vulnerability: Unsafe eval Usage in ADDITIONAL_PARAMETERS Handling #166
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the "bug"
I've identified a critical security vulnerability within the GitHub Action due to the handling of the "ADDITIONAL_PARAMETERS" input. The issue arises from the use of
evalto process this input, which can allow for the execution of arbitrary commands. This misuse ofevalposes a significant security risk, as it could potentially be exploited to bypass CI controls or expose sensitive information, such as theGITHUB_TOKEN.ast-github-action/entrypoint.sh
Line 5 in 75a1d77
Expected behavior
The expected behavior would be for the GitHub Action to securely handle input parameters without executing them as code. Ideally, inputs should be sanitized or validated to ensure that they cannot be used to inject malicious code.
Actual behavior
The actual behavior is that the "ADDITIONAL_PARAMETERS" input is processed with
eval, allowing for the injection of arbitrary commands. For example, injecting"); exit 0; #can terminate the script prematurely, and similarly,"); echo $GITHUB_TOKEN; #could potentially expose the GitHub token or other sensitive environment variables.Steps to reproduce
To reproduce the vulnerability, you can follow these steps:
"); exit 0; #.Additional comments
This vulnerability exposes projects to significant risks, including unauthorized access to sensitive information or manipulation of the CI/CD process. It is crucial to address this issue to maintain the security integrity of projects using this GitHub Action.
Logs
Due to the nature of this report, providing specific logs might inadvertently expose sensitive information. However, the behavior can be verified by following the reproduction steps provided above with a test command designed to demonstrate the arbitrary command execution.
The text was updated successfully, but these errors were encountered: