Github has managed to fix a high severity security flaw that was reported to it by Google Project Zero around three months back. The bug affected GitHub's developer workflow automation tool called Actions feature that according to Google Project Zero researcher Felix Wilhelm was extremely vulnerable to injection attacks, as per a report by ZDNet. While Google described it as a 'high severity' bug, GitHub argued it was a 'moderate security vulnerability'.
As per the report, Google Project Zero usually discloses any flaws it finds 90 days after reporting them. By 2 November, GitHib had exceeded Google's one-off grace period of 14 days without fixing the flaw.
As per the report, a day before the disclosure deadline, GitHub told Google it would be disabling the vulnerable commands by November 2 and then requested an additional 48 hours. They asked this, not to fix the issue, but rather to notify customers and determine when they will look into it at a later date.
Finally, after 104 days of reporting the issue to GitHub, Google published details of the bug.
GitHub has finally gotten around to addressing the issue last week by disabling the feature's old runner commands, "set-env" and "add-path".
Wilhelm had written in his bug report that the "set-env" was interesting because it can be used to define arbitrary environment variables as part of a workflow step. With GitHub having fixed the issue, Wilhelm too has updated his issue report to confirm that the matter has been resolved, the report added.
source https://www.firstpost.com/tech/news-analysis/github-fixes-high-security-flaw-reported-by-google-project-zero-three-months-ago-9058361.html