漏洞点
- name: Determine branch name
id: branch
run: |
if [[ "${{ github.event_name }}" == "pull_request"* ]]; then
echo "Pull Request"
echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT
echo "repo=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_OUTPUT
elif [[ "${{ github.event_name }}" == "push" ]]; then
echo "Push Event"
echo "branch=${{ github.ref }}" >> $GITHUB_OUTPUT
echo "repo=${{ github.event.repository.full_name }}" >> $GITHUB_OUTPUT
else
echo "Unsupported event type!" >&2
exit 1
fi
如果fork项目,发起PR,并将PR名字改为username/hedy-fork:main";echo${IFS}"hello";#
action会获取PR的分支名称,注入到ACTION中,使用"闭合前面的引号,导致可以注入恶意action表达式,导致执行命令,可以获取到敏感信息。
参考
# GHSL-2024-053: GitHub Actions expression injection in Hedy