HomeAssistant-Tapo-Control Code Injection Vulnerability in GitHub Actions Workflow

A code injection vulnerability has been identified in the GitHub Actions workflow of the HomeAssistant-Tapo-Control repository, specifically in the .github/workflows/issues.yml file. This vulnerability arises from the workflow's improper handling of user-controlled content from issue bodies, which was directly inserted into a Bash conditional without adequate sanitization. As a result, a malicious GitHub user could craft an issue that executes arbitrary commands on the GitHub Actions runner with elevated privileges, potentially accessing repository contents or GitHub Actions secrets. It is important to note that this vulnerability does not affect users of the Home Assistant integration itself, but is confined to the GitHub Actions environment of this repository.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands in the GitHub Actions environment, with potential access to repository contents and GitHub Actions secrets.

Remediation

The vulnerability has been patched in commit 2a3b80f. Repositories with the same workflow should update .github/workflows/issues.yml to match the patched version. If immediate upgrading is not possible, the affected workflow can be disabled or the unsafe Bash comparison replaced with a safe, quoted grep or a pure GitHub Actions expression check. Additionally, ensuring minimal permissions in workflows can help reduce the possible impact.