Melange Command Injection Vulnerability in Working-Directory Substitutions

A command injection vulnerability has been identified in Melange versions 0.3.0 prior to 0.40.3. The issue arises when user-provided build input values are substituted into the pipeline's working-directory field using ${{vars.*}} or ${{inputs.*}}. The lack of proper quote escaping allows for the execution of arbitrary shell commands. This vulnerability has been patched in version 0.40.3.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where Melange is running.

Reproduction

To reproduce this vulnerability, create a pipeline that uses ${{vars.*}} or ${{inputs.*}} substitutions in the working-directory field. Ensure that the substituted values include unescaped characters that can break out of quotes, such as single quotes or command substitution syntax. When the pipeline is executed, the injected commands will be executed in the shell, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to Melange version 0.40.3 or later to address this vulnerability.