Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15228 PoC — Environment Variable Injection in GitHub Actions

Source
https://github.com/guettli/fix-CVE-2020-15228
Associated Vulnerability
Title:Environment Variable Injection in GitHub Actions (CVE-2020-15228)
Description:In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users should upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
Description
Fix CVE-2020-15228 (set-env, add-path in Github-Actions)
Readme
# Fix CVE-2020-15228 (set-env, add-path in Github-Actions)

This script changes lines in your github action file.

You give it a directory name, and it searches for all files with the ".sh" or ".yml" extension.

It recognizes these lines:

```
echo ::set-env name=FOO_BAR::$FOO_BAR
echo ::set-env name=FOO_BAR::${FOO_BAR}
echo "::set-env name=FOO_BAR::$FOO_BAR"
echo "::set-env name=FOO_BAR::${FOO_BAR}"
```

All lines get rewrites to 
```
echo "FOO_BAR=$FOO_BAR" >> $GITHUB_ENV
```

And
```
run: echo ::set-env name=FOO_BAR::"${GITHUB_SHA::8},dev-${GITHUB_SHA::8}"
```
becomes
```
run: echo "FOO_BAR=${GITHUB_SHA::8},dev-${GITHUB_SHA::8}" >> $GITHUB_ENV
```
# Run

You can apply this script directly like this. All ".sh" and ".yml" files in "your_repo/.github/workflows" get updated.

```
curl -sSL https://raw.githubusercontent.com/guettli/fix-CVE-2020-15228/main/fix_CVE_2020_15228.py | python3 - your_repo/.github/workflows
```

Please give this project a "star" if it was useful to you.

# TODO: add-path

I don't have any working example of `add-path`. Up to now this does not get updated. 

If you tell me the desired transformation, then I can add it. Thank you.
File Snapshot

 [4.0K]  /data/pocs/e447a72d645b3ea93ebd7274acba2d02f591e674
├── [2.5K]  fix_CVE_2020_15228.py
├── [1.0K]  LICENSE
├── [1.1K]  README.md
└── [ 863]  setup.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →