The tj-actions/verify-changed-files
action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
The verify-changed-files
workflow returns the list of files changed within a workflow execution.
This could potentially allow filenames that contain special characters such as ;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run
block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN
if triggered on other events than pull_request
. For example on push
.
$(whoami).txt
would be a valid filename.List all changed files tracked and untracked files
step.
- name: List all changed files tracked and untracked files
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
Example output:
##[group]Run echo "Changed files: $(whoami).txt"
echo "Changed files: $(whoami).txt"[0m
shell: /usr/bin/bash -e {0}
##[endgroup]
Changed files: runner.txt
This issue may lead to arbitrary command execution in the GitHub Runner.
A new safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.
A safe recommendation of using environment variables to store unsafe outputs.
- name: List all changed files tracked and untracked files
env:
CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
run: |
echo "Changed files: $CHANGED_FILES"
{ "nvd_published_at": "2023-12-29T17:16:07Z", "cwe_ids": [ "CWE-20", "CWE-77" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-02T16:42:27Z" }