Google’s Project Zero team has revealed serious security vulnerabilities in GitHub Actions

Over the past few years, the Google Project Zero team has disclosed serious security vulnerabilities affecting platforms such as Windows 10, macOS, and iOS. Typically, affected agencies will have 90 days to prepare for fixes before details of the vulnerability are publicly disclosed. In the latest news, the Google Project Zero team has just revealed a “highly serious” security vulnerability affecting GitHub’s open source hosting platform.

Google's Project Zero team has revealed serious security vulnerabilities in GitHub Actions

The problem is reported to stem from the fact that workflow commands in GitHub Actions are highly vulnerable to injection attacks. Action, on the other than action, is primarily responsible for communication with Action Runner.

Felix Wilhelm discovered this serious security vulnerability when reviewing the source code: “When a process resolves to every line of STDOUT to look for workflow commands, each GitHub operation prints untrustworthy content during execution.”

In most cases, the ability to set up any environment variable executes remote code as soon as another workflow is performed. In other words, this flaw makes it highly vulnerable to injection attacks.

Felix Wilhelm spent some time looking at the popular GitHub repository and found that almost all projects with some complex GitHub Actions were highly susceptible to such bugs.

Since the security breach was discovered on July 21, the Project Zero team has informed GitHub of the vulnerability and provided it with a standard 90-day grace period (as of October 18).

Eventually GitHub decided to deprecce vulnerable commands and issued a “moderately critical security vulnerability” patch recommendation notifying developers to update their workflow.

Embarrassingly, Felix Wilhelm is not sure how to solve this problem because of a fundamental insecurity in the way workflow commands are implemented.

As a temporary response, the project had to deprecation of the command syntax first. For a long-term solution, workflow commands still need to be moved from the boundary channel to another place, but doing so can break other related code and cause headaches for everyone.

On October 16, GitHub received an additional 14-day grace period from the Project Zero team to disable the command completely (the new deadline is November 2).

But when GitHub tried to apply for another 48-hour grace period, Project Zero felt that repeated delays would not solve the problem and violated the standard vulnerability disclosure process, and eventually disclosed the vulnerability details and proof-of-concept code.