Summary
Pull request #10149 introduced a GitHub Actions expression injection vulnerability, potentially allowing an attacker to take over the repository.
Details
There is a vulnerability in Line 24 of .github/workflow/CheckIssueForCodeFormatting.yml, where the ${{ github.event.issue.body }} entry is directly used in the run statement. This design allows for the execution of arbitrary commands if a malicious issue is submitted. Consequently, an attacker could compromise the GitHub Runner, thereby accessing sensitive CI secrets such as GH_TOKEN and GITHUB_TOKEN. Therefore, the attacker can push arbitrary code to the repository using the GITHUB_TOKEN.
Impact
We have searched through the entire issue log of the duckdb repository (including the history of the issue bodies) for potential abuses of this vulnerability and have found that this has not been exploited. The vulnerability was patched via PR #11522. No releases were affected by the vulnerability. There are no actions required of users.
abdtyx Reporter
nbshenxm Reporter
haruki3hhh Reporter
jorgectf Reporter
Summary
Pull request #10149 introduced a GitHub Actions expression injection vulnerability, potentially allowing an attacker to take over the repository.
Details
There is a vulnerability in Line 24 of
.github/workflow/CheckIssueForCodeFormatting.yml, where the${{ github.event.issue.body }}entry is directly used in the run statement. This design allows for the execution of arbitrary commands if a malicious issue is submitted. Consequently, an attacker could compromise the GitHub Runner, thereby accessing sensitive CI secrets such asGH_TOKENandGITHUB_TOKEN. Therefore, the attacker can push arbitrary code to the repository using theGITHUB_TOKEN.Impact
We have searched through the entire issue log of the
duckdbrepository (including the history of the issue bodies) for potential abuses of this vulnerability and have found that this has not been exploited. The vulnerability was patched via PR #11522. No releases were affected by the vulnerability. There are no actions required of users.