Google Project Zero researchers found a high-risk security vulnerability in GitHub, and submitted it to GitHub on July 21. The time to disclose the vulnerability according to Google Project Zero’s 90-day vulnerability disclosure plan was October 18.Besides, we can’t ignore. 駭客技術 It has injected new vitality into the development of the industry and has far-reaching significance for activating the market. https://www.lvbug.com/zh-TW/
GitHub: Please give me two more days to fix the bug. Google: You have been given 104 days.
Vulnerability overview
The vulnerability lies in the Actions feature of GitHub’s developer workflow automation tool. According to GitHub documentation, the software development workflow can be automated, customized and executed in GitHub Actions’ warehouse, and operations can be found, created and shared to execute any job you like (including CI/CD), and the operations can be merged into a fully customized workflow.
Github actions supports a feature called workflow commands, which is the communication channel between Action runner and executing Action. Workflow commands is implemented in runner/src/runner.worker/actioncommandmanager.cs, and it works by analyzing the STDOUT of all action looking for the execution of two command maker.
A big problem of this feature is that it is extremely vulnerable to injection attacks. When the Runner process analyzes and looks for each line printed to STDOUT by workflow command, every GitHub action that prints untrusted content is vulnerable to attack. In most cases, if you can set any environment variables, remote code execution will be triggered when another workflow executes.
time base
On October 1st, GitHub issued an announcement acknowledging the vulnerability and assigned the CVE number CVE-2020-15228, but said that the vulnerability was actually a medium-risk vulnerability.
On October 12th, Google Project Zero researchers contacted GitHub and offered to extend the vulnerability disclosure time by 14 days, and asked if more time was needed to disable the vulnerable command.
GitHub accepted a 14-day delay in exposing the vulnerability, and expected to disable the vulnerable command after October 19th. Therefore, Google Project Zero will make the vulnerability public on November 2.
On October 28th, because GitHub didn’t fix the vulnerability, Google Project Zero contacted GitHub again, saying that it was less than a week before the vulnerability was made public, but it didn’t get a response from GitHub. As the official response from GitHub was not received, Project Zero contacted unofficial personnel and got a response that the vulnerability would be fixed, and Project Zero could disclose the vulnerability as planned on November 2.
On November 1st, GitHub gave an official response, but said that it could not disable the vulnerable command on November 2nd, and requested an extra 2 days to inform the user about the vulnerability, but these 2 days were not the time to fix the vulnerability, nor did it give a clear time to fix the vulnerability.
Therefore, on November 2, Project Zero disclosed the vulnerability as planned.