Gluestack UI Command Injection Vulnerability in GitHub Actions Workflow

A command injection vulnerability exists in the 'discussion-to-slack.yml' GitHub Actions workflow of the Gluestack UI library, prior to commit e6b4271. The vulnerability arises because untrusted discussion fields, such as titles and bodies, were directly inserted into shell commands within a 'run:' block. This allowed an attacker to manipulate a GitHub Discussion title or body to execute arbitrary shell commands on the Actions runner. Exploitation could lead to the unauthorized execution of commands, potentially allowing for the exfiltration of the repository's 'GITHUB_TOKEN' (with write access), unauthorized modifications to repository contents, releases, and workflows, and exposure of other repository secrets like Slack or npm tokens.

Impact

Successful exploitation could result in arbitrary command execution on the Actions runner, with potential access to the repository's 'GITHUB_TOKEN' and other secrets.

Remediation

The vulnerable 'discussion-to-slack.yml' workflow has been deleted. Users should remove this workflow if using a fork or derivative of the repository. If the pattern was adapted elsewhere, ensure that user input is not directly interpolated into shell scripts, but rather handled through environment variables or safe output blocks.