Click to see the query in the CodeQL repository
GitHub Actions allow to define environment variables by writing to a file pointed to by the GITHUB_ENV environment variable:
This file contains lines in the KEY=VALUE format:
It is also possible to define multiline variables by using the following construct:
If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or {delimiters}.
Do not allow untrusted data to influence environment variables:
Avoid using untrusted data sources (e.g., artifact content) to define environment variables.
Validate and sanitize all inputs before using them in environment settings.
Do not allow new lines when defining single line environment variables:
echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"
Use unique identifiers when defining multi line environment variables:
Consider the following basic setup where an environment variable MYVAR is set and used in subsequent steps:
If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like:
Likewise, if the attacker controls a file in the GitHub Actions Runner’s workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as:
An attacker could craft a malicious artifact that writes dangerous environment variables:
An attacker would be able to run arbitrary code by injecting environment variables such as LD_PRELOAD, BASH_ENV, etc.
GitHub Docs: Workflow commands for GitHub Actions.
Synacktiv: GitHub Actions Exploitation: Repo Jacking and Environment Manipulation.