Vowpal Wabbit GitHub Actions Workflow Shell Injection Vulnerability

A shell injection vulnerability has been identified in the Vowpal Wabbit GitHub repository. The issue arises in the GitHub Actions workflow file '.github/workflows/python_checks.yml', where the pull request title is directly embedded into double-quoted bash strings. This interpolation occurs in four separate steps across different jobs, allowing an attacker to break out of the quotes and execute arbitrary commands on the CI runner. The vulnerability is triggered by the pull request event, targeting any branch, without additional access restrictions.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the CI runner, with root privileges.

Reproduction

The vulnerability can be reproduced by cloning the Vowpal Wabbit repository and creating a pull request with a crafted title that includes a command injection payload. The GitHub Actions workflow will execute the injected command as part of the CI process.

Remediation

The vulnerability has been fixed by modifying the workflow to bind the pull request title to an environment variable, which is then referenced in a way that treats it as data rather than executable code. This fix should be applied to all four occurrences of the vulnerability in the workflow.