justinsteven / advisories Public
The check-spelling GitHub Actions community workflow is a spell checker for GitHub commits. When the workflow is enabled on a given repository, it is activated whenever a Pull Request is made to that repo. The workflow checks the spelling according to a configuration defined by the repo, and submits a Pull Request comment showing the details of any spelling errors.
For a repo configured to use the check-spelling workflow, an attacker can submit a Pull Request which contains a spelling error and which also has a symbolic link pointing from .github/actions/advice.txt to /proc/self/environ. When this malicious Pull Request is processed by the check-spelling workflow, the workflow will post a comment to the Pull Request which contains a full dump of the GitHub Actions environment variables. This discloses a short-lived GITHUB_TOKEN API key. The attacker can retrieve this API key and can perform sensitive operations on behalf of the target repo, such as:
This gives the attacker significant control over the repo. The attacker could use the vulnerability to merge a malicious pull request to the repo, introducing malicious code to the project.
