tj-actions Branch Names GitHub Action Command Injection Vulnerability

A critical command injection vulnerability has been identified in the tj-actions/branch-names GitHub Action, in versions prior to 8.2.1. This vulnerability allows arbitrary command execution in downstream workflows by exploiting specially crafted branch names or tags. The issue arises from inconsistent input sanitization and unescaped output, which have been addressed in version 9.0.0.

Impact

Exploitation of this vulnerability enables arbitrary command execution in workflows that use the affected GitHub Action. This could lead to unauthorized access to sensitive repository secrets, unauthorized write actions to the repository, or a compromise of the repository's overall integrity and security.

Reproduction

To reproduce this vulnerability, create a branch with a name that includes a command injection payload, such as one that uses curl to fetch a script and execute it with bash. Then, trigger a workflow that uses the tj-actions/branch-names action by opening a pull request. The injected command will be executed in the workflow environment, as demonstrated in the published proof-of-concept.

Remediation

Users of the tj-actions/branch-names GitHub Action should update to version 9.0.0 or later.