Summary
Unquoted variable in the bash code used to close issues can let anyone execute arbitrary code on Github Action servers.
Details
This line has an unquoted variable inside of an if [...], and the variable is actually assigned by people, as it is the issue title. Unquoted variables in Bash might expand to something you don't want to.
PoC
- Create an issue
- Set its title to
export ISSUE_TITLE='-v x[$(your-command-here)] -o false'
- Save it
- Observe as the low effort issues handler runs your-command-here on Github servers!
Impact
Github might not like random people running arbitrary code on their servers on your behalf.
gaussandhisgun Reporter
Summary
Unquoted variable in the bash code used to close issues can let anyone execute arbitrary code on Github Action servers.
Details
This line has an unquoted variable inside of an
if [...], and the variable is actually assigned by people, as it is the issue title. Unquoted variables in Bash might expand to something you don't want to.PoC
export ISSUE_TITLE='-v x[$(your-command-here)] -o false'Impact
Github might not like random people running arbitrary code on their servers on your behalf.