Summary

A code injection vulnerability was identified in the PX4/PX4-Autopilot project within the docs_pr_comment.yml GitHub Actions workflow on the latest main branch. An attacker could exploit this issue in a privileged context to execute arbitrary code, potentially compromising the CI/CD pipeline.

Tested Version

latest main branch

Details

A code injection vulnerability was identified in the GitHub action .github/workflows/docs_pr_comment.yml. At line 59, the workflow evaluates user-controlled content:

echo "${{ steps.read-error-by-page.outputs.content }}"

The content is read from the file './errorsFilteredByPrPages.md' using the juliangruber/read-file-action@v1 action and is evaluated using the ${{}} syntax. While the echo command uses quotes, this is not sufficient protection against code injection.

The workflow is triggered by workflow_run and depends on .github/workflows/docs_flaw_checker.yml, which is triggered by pull_request_target. The workflow runs in a privileged context since pull_request_target is a high privileged trigger. This means an attacker can trigger the workflow through a pull request.

In particular, the content of the file errorsFilteredByPrPages.md are the outputs of the too markdown_link_checker_sc, which contains file paths in the PR branch that does not pass the linter test. A malicious attacker can create malicious file names to inject code, for example, a file name " & echo 123 & .md would execute echo 123 when evaluated in docs_pr_comment.yml.

Impact

This issue may lead to code execution in high privilege context.

Remediation

Consider using an intermediate environment variable to store the output of steps.read-error-by-page.outputs.content instead of evaluating it directly.