Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Template injection in a GitHub workflow of koriwi/freedeck-configurator
Jaroslav LobacevskiPosted 4 Years Ago- This vulnerability was found in a Github workflow template used for integration with Discord. Github Workflows allows for automated actions to occur when some events (such as a PR) happens.
- When a PR had gone through, a Workflow was made to integrate with Discord to send this in a particular channel. However, the commit field (which is clearly controllable) was not sanitized at all.
- Using the lack of sanitization, it was possible to add arbitrary Markdown into a Discord message. But, this can get much worse!
- The Discord API supports STRING interpolation syntax for environment arguments. The interpolation even allows the executing of arbitrary JavaScript! Using this, it is possible to write to the repository and steal other secrets from the Github Runner instance.
- Overall, this is an integration issue between two powerful technologies; none of them (although, executing JavaScript seems like a little much) have direct issues with the setup. Interesting finding!
