Wenxian Command Injection Vulnerability in GitHub Actions Workflow

A command injection vulnerability has been identified in the Wenxian tool, which generates BIBTEX files from various identifiers. In versions through 0.3.1, a GitHub Actions workflow improperly handles user input from issue comments, directly incorporating it into shell commands. This flaw allows for arbitrary code execution on the GitHub Actions runner. The vulnerability arises because the workflow can be triggered by external users, who can manipulate the input to execute unintended commands. At the time of publication, no patches are available.

Impact

Exploitation of this vulnerability allows remote attackers to execute arbitrary shell commands on the GitHub Actions runner. This could lead to unauthorized access to the GITHUB_TOKEN, exfiltration of repository data, and compromise of the CI/CD pipeline.

Reproduction

To reproduce this vulnerability, post a comment on an issue in a repository that uses Wenxian version 0.3.1 or prior. Include a payload that breaks out of the quoted context and executes a command, such as 'whoami'. The executed command's output will be reflected in the workflow logs, demonstrating the successful exploitation of the command injection vulnerability.

Remediation

Users are advised to avoid directly interpolating untrusted input into shell commands. Instead, pass the input through an environment variable and reference it safely within the script.