Super-Linter Command Injection Vulnerability in GitHub Action

A command injection vulnerability has been identified in the Super-Linter GitHub Action, affecting versions 6.0.0 prior to 8.3.0. The issue arises when the action processes filenames containing shell command substitution syntax, such as $(...). During file discovery, runtime scripts may execute the embedded commands, allowing for arbitrary command execution in the workflow runner context. This exploitation can potentially expose the job's GITHUB_TOKEN, depending on the workflow's permission settings.

Impact

Exploitation of this vulnerability allows for arbitrary command execution within the workflow run that invokes Super-Linter, with the added risk of exposing and misusing the GITHUB_TOKEN, a credential that can access repository resources.

Reproduction

To reproduce this vulnerability, use a workflow that runs Super-Linter on pull request events. Open a pull request that adds a new file with a crafted filename containing command substitution syntax, such as $(...), and an outbound request that includes the GITHUB_TOKEN. Once the pull request is merged, the workflow will execute the injected command, potentially leading to unauthorized command execution and GITHUB_TOKEN exposure.

Remediation

Users can update to Super-Linter version 8.3.1 or later to address this vulnerability.