A severe GitHub (opens in new tab) security flaw has finally been fixed more than three months after it was first discovered.
Back in July, Google’s Project Zero team notified GitHub that its GitHub Actions feature was highly vulnerable to injection attacks. The firm was given 90 days to patch the flaw, plus a 14-day additional grace period, before it was disclosed publicly.
GitHub managed to solve the issue on November 16, however, by disabling two old runner commands (opens in new tab). The former version of the “set-env” runner command, for example, was causing issues because its ability to define arbitrary environment variables meant that it could be exploited to launch injection attacks.
- We've put together a list of the best laptops for developers (opens in new tab)
- And here's our roundup of the best Linux distros for developers (opens in new tab)
- Also, check out our list of the best business laptops (opens in new tab)
“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable,” Google Project Zero researcher Felix Wilhelm explained (opens in new tab). “In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”
Problem solved for now
The patch is likely to only be a short-term fix as it simply works by depreciating the offending command syntax. A longer-term solution is likely to involve moving workflow commands to an out-of-bound channel, but that will affect dependent code, so might take a while to implement.
Project Zero has now listed the problem as fixed, which leaves nine (opens in new tab) unresolved security bugs that the team has identified. The outstanding vulnerabilities are affecting software produced by Apple, Qualcomm, Microsoft and Google itself.
- We've also highlighted the best endpoint protection software (opens in new tab)
Via ZDNet (opens in new tab)