Hello maintainers,
I would like to report a potential vulnerability in your GitHub CI workflows.
Affected files:
- jbcom/control-center/.github/workflows/delegator.yml
Vulnerability:
- In job 'delegate', step 'Execute command', attacker-controlled input from
github.event.comment.body is spliced into the run shell via ${{ steps.parse.outputs.command }}; the upstream 'Parse command' step extracts the command; the sink is the run shell.
Thank you for your time and for maintaining this project.
Hello maintainers,
I would like to report a potential vulnerability in your GitHub CI workflows.
Affected files:
Vulnerability:
github.event.comment.bodyis spliced into the run shell via${{ steps.parse.outputs.command }}; the upstream 'Parse command' step extracts the command; the sink is therunshell.Thank you for your time and for maintaining this project.