The Check issue comment workflow uses the issue comment body in the github-script actions as follows:
const comment="${{ github.event.comment.body }}"
Because this value is provided by the user when they create an issue commit, this provides an opportunity for an attacker to exploit the workflow with by crafting an issue comment that tricks the script into executing code where it's expecting data.
If we create an issue comment with the contents...
octocat";console.log('Script injected!!!');//
...the script looks like the following...
const comment="octocat";console.log('Script injected!!!');//"
This payload closes the initial quote, then ends the command with a semicolon. This allows the following console.log('Script injected!!!');
command to run as a separate command.
Let's see this in action by creating a new issue comment with this body and see what happens.
Follow the steps below to exlpoit the script injection vulnerability in your repo:
- Go to the Issues tab and click one of the issue we had created previously.
- In the comment field at the bottom, enter
console.log('Script injected!!!');//
and click the greenComment
button. - Navigate to the Actions tab and select the
Check issue comment
actions workflow on the left. - Click on the workflow run.
- Click on the job
check-issue-comment
. - In the
check-issue-comment
job lob, click the>
to the left ofCheck issue comment
step to see the output. - Observe that the workflow runs the command
console.log('Script injected!!!');//
!