Summary
A code injection vulnerability exists in the Canary CI GitHub Actions workflow (.github/workflows/canary-ci.yml). Because the workflow directly interpolates the contents of an issue comment into a shell script using GitHub Actions expression syntax (${{ }}), any user capable of commenting on a pull request can inject arbitrary code into the workflow execution context. This can lead to unauthorized access, secret exfiltration, and potential repository compromise.
Details
The vulnerability is located in the parse-version job of .github/workflows/canary-ci.yml. Specifically, within the "Get React version from comment" step, the workflow uses expression syntax to directly inject the comment body into a run shell script block:
- name: Get React version from comment
id: get-version
run: |
comment="${{ github.event.comment.body }}"
GitHub Actions evaluates the ${{ }} expression before the shell script is executed, performing a direct string substitution into the script body. This means that any shell metacharacters (such as double quotes and semicolons) present in the comment body are inserted verbatim into the script source code. The shell then interprets these characters as part of the script's syntax, allowing an attacker to break out of the intended variable assignment and inject arbitrary code that executes in the context of the GitHub Actions runner.
PoC
- Navigate to an existing Pull Request (or create a new one) on the target repository.
- Post the following malicious payload as a comment:
/canary-ci run"; echo "=== PWNED ==="; whoami; echo "
- The
issue_comment event defined in canary-ci.yml will trigger the workflow.
- Navigate to the Actions tab and inspect the logs for the "Get React version from comment" step in the
parse-version job.
- Due to the expression evaluation, the shell script that actually executes becomes:
comment="/canary-ci run"; echo "=== PWNED ==="; whoami; echo ""
- The log will output the execution of the injected code, demonstrating successful exploitation:
Impact
Vulnerable File: .github/workflows/canary-ci.yml
Vulnerability Type: Code Injection (CWE-94)
Who is impacted:
Repository maintainers, project infrastructure, and any downstream users relying on the integrity of the project's code and releases.
Impact Details:
- Confidentiality: An attacker can exfiltrate sensitive environment variables and secrets exposed to the runner, including the
GITHUB_TOKEN.
- Integrity: Using compromised tokens, an attacker could potentially modify source code, push malicious commits, or alter release artifacts.
- Availability: Runner resources could be abused for unauthorized activities. If self-hosted runners are used, the attacker could completely compromise the host system, leading to CI/CD pipeline downtime.
Remediation Advice
To fix this vulnerability in .github/workflows/canary-ci.yml, pass the comment body to the script securely via an environment variable. Environment variables are set before the shell script is parsed, so their contents are never interpreted as code:
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
comment="$COMMENT_BODY"
Summary
A code injection vulnerability exists in the Canary CI GitHub Actions workflow (
.github/workflows/canary-ci.yml). Because the workflow directly interpolates the contents of an issue comment into a shell script using GitHub Actions expression syntax (${{ }}), any user capable of commenting on a pull request can inject arbitrary code into the workflow execution context. This can lead to unauthorized access, secret exfiltration, and potential repository compromise.Details
The vulnerability is located in the
parse-versionjob of.github/workflows/canary-ci.yml. Specifically, within the "Get React version from comment" step, the workflow uses expression syntax to directly inject the comment body into a run shell script block:GitHub Actions evaluates the
${{ }}expression before the shell script is executed, performing a direct string substitution into the script body. This means that any shell metacharacters (such as double quotes and semicolons) present in the comment body are inserted verbatim into the script source code. The shell then interprets these characters as part of the script's syntax, allowing an attacker to break out of the intended variable assignment and inject arbitrary code that executes in the context of the GitHub Actions runner.PoC
issue_commentevent defined incanary-ci.ymlwill trigger the workflow.parse-versionjob.Impact
Vulnerable File:
.github/workflows/canary-ci.ymlVulnerability Type: Code Injection (CWE-94)
Who is impacted:
Repository maintainers, project infrastructure, and any downstream users relying on the integrity of the project's code and releases.
Impact Details:
GITHUB_TOKEN.Remediation Advice
To fix this vulnerability in
.github/workflows/canary-ci.yml, pass the comment body to the script securely via an environment variable. Environment variables are set before the shell script is parsed, so their contents are never interpreted as code: