Early in November, Google publicly disclosed a “high” severity security flaw that its Project Zero team had discovered in Microsoft-owned GitHub, after previously having disclosed it privately to GitHub and provided time for the flaw to be patched. As a result of the deadline imposed by Project Zero lapsing, Google publicly disclosed it (via Neowin).
104 days later, GitHub has finally patched the flaw.
The flaw surrounded GitHub’s workflow commands functionality, which is the community between the Action Runner and executed actions. It’s part of GitHub’s Actions feature. Google’s Project Zero claimed the feature is “fundamentally insecure”, and the member of the group who reported the flaw, Felix Wilhelm, offered up 2 possible solutions, one being a short-term fix, and one being a long-term fix.
It appears that GitHub has taken up the short-term fix, at least for now. GitHub’s patch notes state:
- Disable Old Runner Commands set-env and add-path
- update dotnet install scripts
- update runner version and release notes
Nonetheless, users can now rest assured that this flaw has been patched.