back to article Google Project Zero to GitHub: You've had 104 days to sort out injection vuln – now we're telling world-plus-dog

Google's bug-hunting Project Zero team has posted details of an injection vulnerability in GitHub Actions after refusing a request to postpone disclosure. The issue arises due to the ability to set environment variables that are then parsed for execution by GitHub Actions. According to the Project Zero disclosure: "As the …

  1. IGotOut Silver badge

    So Google...

    would rather break things rather than let them be reduced in importance.

    Yet when it came to Android, it's taken a decade for it even start to resemble a OS that doesn't rely on 3rd parties to update.

    1. Blackjack Silver badge

      Re: So Google...

      Microsoft did the same thing with Windows. Windows 1.0 launched on November 20, 1985 and it took almost a decade until we got to Windows 95, the first time Windows became a real Os and a killer App. And also caused a lot of hardware sales to either upgrade PCs or buy PCs that could run Windows 95.

      Let's face it, as nice as Windows 3.1 was, it was still a shell running over Dos, not an operating system on its own.

      1. Spacedinvader
        Holmes

        Re: So Google...

        "launched on November 20, 1985 and it took almost a decade until we got to Windows 95"

        Almost?

        See icon

        1. Blackjack Silver badge

          Re: So Google...

          Windows 1.0 November 20, 1985;

          Windows 95 August 15, 1995;

          That's 9 years, 8 months and 26 days or...

          "Almost" ten years.

    2. Kevin McMurtrie Silver badge
      Stop

      Re: So Google...

      This feature never should have existed. It's allowing critical environment variables Every person contributing should know the OWASP Top Ten, and injection is #1 on the list.

      1. chuBb. Silver badge

        Re: So Google...

        yes but DEVOOPS!!!#!1111! or as used to be drummed into ops sorts, just because you can doesn't mean you should...

        Might be in the minority but i only use GH for versioning, anything CI/CD (CI only really, people who do CD as advertised are a rounding error) runs in house and doesnt support emoji's (honestly last time someone who doesnt know better tried to convince me that github actions and workflows running on others platforms (yet to find a reason why thats better than doing it inhouse) were a good thing it was to show me them receiving notifications and tweet on their phone that a build was failing with the poo emoji, my response was what use is that to you, can you fix your build on your phone, how is that better than the plain text email my build server sends without any 3rd parties involved)

    3. Charlie Clark Silver badge

      Re: So Google...

      If Google has found the problem you can assume other agencies have as well and are probably already exploiting them. Not publishing the results is really just a courtesy.

      The real thing is: how does Google respond in similar situations? Does it take security reports as importantly as it expects others to take its?

  2. Claptrap314 Silver badge

    I have a fix

    Drop the *#*$# functionality immediately.

    It was poorly thought out and poorly implemented in the first place. Yes, doing that will break workflows. NOT doing that can break the entire thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: I have a fix

      Thing is, we all use external dependencies in one way or another. So you have to expect that workflows may break at any time.

      Ideally, as long as you have some prior notice and you're paying attention and you have the resources to make the necessary adaptations (or can afford to let it break), this shouldn't catch anyone off guard.

  3. YetAnotherJoeBlow Bronze badge

    Yet again

    Github really did not want to break user space - right or wrong.

    Maybe some of Google's code needs to be looked at a little closer - say their smtp servers or perhaps widevine - just to look and learn the proper way to implement those services.

    There is of course a difference between refusal to fix and actual repair work ongoing.

  4. Maelstorm Bronze badge

    Three times and you're out...

    This is the third time they pulled this crap. I'm not familiar with the feature they are talking about, but since this is GitHub, I'm assuming that it's the online component. Maybe GitHub needs more time to sort it out. Google are just being dicks, like usual. What happened to their mantra "Don't be evil." ???

  5. Ken Hagan Gold badge

    Confused, of Tunbridge Wells, writes...

    So GitHub publishes sufficient detail to alert all the bad guys about this bug, on 1st October, but Project Zero gets a hard time for publishing a month later. So is publishing details/clues etc about this bug good or bad?

  6. HildyJ Silver badge
    IT Angle

    I can fault Google for many (many) things but not this. Ultimately I would rather know that there is an unpatched vulnerability in my systems than have an unpatched vulnerability and not know it. Three months seems like ample time to keep it secret.

  7. amanfromMars 1 Silver badge

    Something to bear in mind ..... and extinguish hope of ..... for it has no place in reality ‽

    Some vulnerabilities cannot be "fixed" ...... they are important systemic opportunities/abiding future relevant features best embraced and extended and modified, for extinction is neither possible nor adorable and attractive.

    That can be a difficult coloured pill to swallow but patients in need of it cannot survive without them being readily available for consumption.

    'Tis a Simply Complex Fact of Life .....:-) which some could/may also tell you, based upon their very own intimate personal experiences, is a Fact for Life and even venture further and posit IT a Fact for a Life and Lives in the Afterlife with Other Live Phorms....... but they be few and far between and most unlikely to bother you directly with such an Extreme Meme Stream, resulting as it can do all too easily with one believing it to be too unbelievable to be honestly true and a wonderfully stealthy portal to delights beyond compare.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021