GitHub fixes ‘excessive severity’ safety flaw noticed by Google
GitHub has lastly mounted a excessive severity safety flaw reported to it by Google Venture Zero greater than three months in the past.
The bug affected GitHub’s Actions characteristic – a developer workflow automation instrument – that Google Venture Zero researcher Felix Wilhelm stated was “extremely susceptible to injection assaults”. GitHub’s Actions assist a characteristic known as workflow instructions as a communication channel between the Motion runner and the executed motion.
Whereas Google described it as a ‘excessive severity’ bug, GitHub argued it was a ‘average safety vulnerability’.
SEE: Community safety coverage (TechRepublic Premium)
Google Venture Zero often discloses any flaws it finds 90 day after reporting them, and by November 2, GitHub had exceeded Google’s one-off grace interval of 14 days with out having mounted the flaw.
A day earlier than the prolonged disclosure deadline, GitHub advised Google it might not be disabling the susceptible instructions by November 2 after which requested a further 48 hours – to not repair the difficulty, however to inform clients and decide a ‘onerous date’ sooner or later sooner or later. Google then revealed particulars of the bug 104 days after it reported the difficulty to GitHub.
GitHub lastly acquired round to addressing the difficulty final week by disabling the characteristic’s outdated runner instructions, “set-env” and “add-path”, as per Wilhelm’s suggestion.
The repair was carried out on November 16, or two weeks after Wilhelm publicly disclosed the difficulty.
As Wilhelm famous in his bug report, the previous model of Github’s motion runner command “set-env” was attention-grabbing from a safety perspective as a result of it may be used to outline arbitrary surroundings variables as a part of a workflow step.
“The large drawback with this characteristic is that it’s extremely susceptible to injection assaults. Because the runner course of parses each line printed to STDOUT on the lookout for workflow instructions, each Github motion that prints untrusted content material as a part of its execution is susceptible,” wrote Wilhelm.
SEE: Google to GitHub: Time’s up – this unfixed ‘high-severity’ safety bug impacts builders
“Generally, the flexibility to set arbitrary surroundings variables leads to distant code execution as quickly as one other workflow is executed.”
Now that GitHub has disabled the 2 susceptible instructions, Wilhelm has additionally up to date his situation report to verify the difficulty is mounted.