Summary
The pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.head_ref field.
Details
|
git checkout -b head-branch head/${{ github.head_ref }} |
You can check this blog post for details: https://securitylab.github.com/research/github-actions-untrusted-input/
PoC
The github.head_ref value is an attacker-controlled value. Assigning the value to zzz";echo${IFS}"hello";# can lead to command injection.
Impact
Since the permission is not restricted, the attacker has a write-access to the repository.
There is no risk for the user of the app within the nextcloud server. This only affects the main repository and possible forks of it. Make sure your fork is on the latest version to prevent code injection attacks and similar.
igibek Reporter
Summary
The pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.head_ref field.
Details
cookbook/.github/workflows/pull-checks.yml
Line 67 in a14d6ff
You can check this blog post for details: https://securitylab.github.com/research/github-actions-untrusted-input/
PoC
The github.head_ref value is an attacker-controlled value. Assigning the value to
zzz";echo${IFS}"hello";#can lead to command injection.Impact
Since the permission is not restricted, the attacker has a write-access to the repository.
There is no risk for the user of the app within the nextcloud server. This only affects the main repository and possible forks of it. Make sure your fork is on the latest version to prevent code injection attacks and similar.