Google spotted and reported a high-severity flaw affecting GitHub around three months ago. However, GitHub patched the vulnerability only recently.
In July 2020, Google Project Zero team researchers reported the flaw to GitHub affecting the platform. Specifically, they found the issue with GitHub’s Actions feature that could allow code injection attacks. As described in the bug report,
As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.
Google researchers described this GitHub vulnerability as a high-severity flaw. However, GitHub initially deemed it a moderately severe bug only.
Moreover, they also failed to deploy a fix for the bug within the 90-day disclosure period. In fact, they even missed the 14-day grace period and still asked for more time. That too, according to Google, to notify the customers instead of deploying a patch.
However, the researchers didn’t agree to it and went ahead with a public disclosure earlier this month. Google clearly has a policy of not extending the disclosure timelines if the fix doesn’t arrive within 104 days.
GitHub High-Severity Vulnerability Patched
Now, finally, GitHub has fixed the vulnerability (CVE-2020-15228) with version 1.2.6. Describing the patch for the bug in their advisory, GitHub stated,
The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
GitHub also confirmed of no workarounds, hence, urging on an immediate upgrade.