Shulou(Shulou.com)05/31 Report--

Google's Zero Project team has publicly disclosed a serious vulnerability in GitHub that can be used to launch injection attacks on popular developer platforms. The search giant's team of security analysts has been praised for discovering major vulnerabilities in popular software. Earlier this week, the team revealed a Windows 100-day vulnerability that could allow hackers to seize control of the computer.

Back in January, Project Zero changed its disclosure policy, giving suppliers a full 90 days to disclose problems in their systems or software. That's why GitHub fixed this serious flaw on Oct. 18 after Google researchers discovered GitHub in July. As the deadline approached, GitHub abandoned vulnerable orders in October and issued a security bulletin warning users to update their workflows.

Then, in mid-October, the developer platform accepted a 14-day grace period for Project 0 because of vulnerabilities that will be publicly disclosed on November 2.

The vulnerability trace is CVE-2020-15228, which solves the problem that workflow commands in GitHub Actions are vulnerable to injection attacks. These commands are used as a communication channel between actions performed on the platform and action operators.

Felix Wilhem, a senior information security engineer at Google, explained in the Zero Project report that almost all projects with complex Github Actions are vulnerable to injection attacks. He said:

"the biggest problem with this feature is that it is vulnerable to injection attacks. When a running program process parses every line printed to STDOUT to find workflow commands, each Github operation prints untrusted content during execution, so it is vulnerable to attack. In most cases, the ability to set any environment variable executes remote code as soon as another workflow is executed. I spent some time looking at the popular Github repository, and almost all projects with some complex Github operations are vulnerable to this bug. "

Wilhem believes that it will be very difficult for Github to solve this problem completely, because the way workflow commands are implemented is "fundamentally unsafe." Although command syntax is not recommended as a short-term solution to this problem, a long-term solution will require moving workflow commands to an out-of-bounds channel, although this can also break other related code.

Just before the end of the grace period, GitHub asked Project 0 to extend the problem for another 48 hours, but instead of fixing it, it notified other customers and set a final date for fixing the vulnerability.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.