Hi @c-py,
The action is vulnerable to a command injection vulnerability. This makes workflows that use the action in pull_request_target and other contexts with read/write access vulnerable.
You may contact me @nikitastupin on Telegram or _nikitastupin on Twitter if you have questions or doubts.
P.S. I tried to find a private channel of communication with no luck so the only way was to fill the issue publicly.
Steps to Reproduce
Create the .env file with the following contents:
TEST='"; echo "untrusted code execution!" >&2 #'
Run ./dotenv.sh script. You should see the following output:
untrusted code execution!
dotenv.sh: line 66: $GITHUB_ENV: ambiguous redirect
Remediation
I would suggest to avoid using eval as part of the action logic.
Hi @c-py,
The action is vulnerable to a command injection vulnerability. This makes workflows that use the action in
pull_request_targetand other contexts with read/write access vulnerable.You may contact me @nikitastupin on Telegram or _nikitastupin on Twitter if you have questions or doubts.
P.S. I tried to find a private channel of communication with no luck so the only way was to fill the issue publicly.
Steps to Reproduce
Create the
.envfile with the following contents:Run
./dotenv.shscript. You should see the following output:Remediation
I would suggest to avoid using
evalas part of the action logic.