Google Project Zero reported a high severity security flaw in GitHub.
GitHub, Inc. is a subsidiary of Microsoft which provides hosting for software development and version control using Git.
Over three months ago, Google Project Zero reported a High-Security flaw in GitHub, which was fixed finally.
The bug affected GitHub’s Actions feature – a developer workflow automation tool, a “highly vulnerable to injection attacks” said Google Project Zero researcher Felix Wilhelm.
The workflow commands – which act as a communication channel between executed actions and the Action Runner – in GitHub Actions are extremely vulnerable to injection attacks.
Google Project Zero usually disclose in 90 days after reporting, after finding flaws.
And by November 2, GitHub had exceeded a one-off grace period of 14 days without having fixed the flaw. Google publicly disclosed the issue following GitHub’s failure to fix the issue in the allotted 104 days.
Apparently, this has put some pressure on the company as the vulnerability has now been patched.
GitHub finally got around to addressing the issue last week by disabling the feature’s old runner commands, “set-env” and “add-path“, as per Wilhelm’s suggestion.
Finally, Google Project Zero Team validated the issue fixed by GitHub.