Nektos act Environment and Path Injection Vulnerability

A vulnerability in Nektos act, a tool for running GitHub Actions locally, allows for environment and path injection. This issue exists in versions through 0.2.85. The vulnerability arises because act processes the deprecated '::set-env::' and '::add-path::' commands without any checks. These commands can be exploited to set arbitrary environment variables or modify the PATH for subsequent steps in a workflow. The problem is particularly concerning because it creates a false sense of security; workflows that are safe on GitHub Actions can become vulnerable when run with act.

Impact

Exploitation of this vulnerability allows for the injection of environment variables and modification of the PATH, leading to potential arbitrary code execution and command hijacking.

Reproduction

The vulnerability can be reproduced by creating a pull request with a title that includes the '::set-env::' or '::add-path::' commands. When the workflow is executed, act will process these commands, injecting the specified environment variables or modifying the PATH for the job.

Remediation

Users can upgrade to act version 0.2.86, which patches this vulnerability by adding the necessary checks for the '::set-env::' and '::add-path::' commands.