Skip to content

1.2.0 - Security Fix: Safer branch name handling
Compare
Choose a tag to compare
@martingjaldbaek martingjaldbaek released this 29 Jul 15:43
· 15 commits to master since this release
1.2.0
e7bf745
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Security Fix: Since branch names can contain shell escape characters, it was previously possible for a PR with a maliciously crafted branch name to be used to inject shell commands, which could for example be used to leak the Token (with write permissions to the repo) used by the Github Action. Note that this attack vector was only possible if the attacker could open PRs in the repository (i.e. in public/open source repos).

Props to RyotaK for reporting the vulnerability, and supplying a fix.

Assets 2
Loading