go-gh Browser Capability Vulnerability in GitHub CLI Extensions Allowing Arbitrary Command Execution

A vulnerability exists in go-gh, a collection of Go modules for GitHub CLI extensions, in versions prior to 2.12.1. The issue arises from the 'Browser' capability, which can be exploited by an attacker-controlled GitHub Enterprise Server. By replacing HTTP URLs with local file paths, the server can trigger the execution of arbitrary commands on a user's machine. This exploitation takes advantage of the 'Browse' function, which opens URLs using various operating system-specific methods. In the vulnerable versions, the function did not properly validate the URL schemes, allowing local files to be executed as commands.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary commands on the user's machine.

Reproduction

The vulnerability can be reproduced by using an attacker-controlled GitHub Enterprise Server to send API responses that include local file paths instead of HTTP URLs. When the GitHub CLI command is executed with the 'Browser' capability, the CLI will attempt to open the file paths, executing any included commands or scripts. This can be automated with a GitHub Actions workflow that triggers on a repository dispatch event, using the 'gh api' command to send the payload with the malicious file URLs. The 'Browser' capability can be invoked with the 'gh' command, which will then execute the replaced file URLs as commands, demonstrating the vulnerability.

Remediation

Users are advised to upgrade go-gh to version 2.12.1 or later.