Project Zero yakaburitsa ruzivo rweakakomba kuchengetedzeka kutyora paGitHub uye vanozivisa izvozvo iko kukanganisa kunokanganisa chiito kufambiswa kwemirairo kubva kuGitHub uye inotsanangurwa sekuomarara kwakanyanya. (Iyi bhagi yakawanikwa muna Chikunguru, asi zvichibva pane yakajairwa mazuva makumi mapfumbamwe ekuburitsa nguva, iwo ruzivo rwakangoburitswa izvozvi.)
Kukanganisa uku kwakava kumwe kwekushomeka kushoma kwanga kusinga gadziriswe zvakanaka nguva yemazuva makumi mapfumbamwe nemapfumbamwe yakapihwa neGoogle Project Zero yapera.
Sekureva kwaFelix Wilhelm (ndiani akazviwana), nhengo yeProjekti Zero timu, iko kukanganisa kunokanganisa zviito zveGitHub, chishandiso chekugadzirisa iro basa revagadziri. Izvi zvinodaro nekuti maActional workflow mirairo ari "panjodzi yekurwiswa nejekiseni":
“Zviito Github inotsigira chinodaidzwa kunzi kufambiswa kwemirayiro senzira yekutaurirana pakati peAction broker nechiito chakaitwa. Workflow mirairo inoitwa mu / src / Runner.Worker / ActionCommandManager.cs uye inoshanda nekugadzirisa STDOUT yezviito zvese zvinoitwa nekutsvaga imwe yemaviri mamaki mamaki.
Taura izvozvo dambudziko hombe pachinhu ichi ndechekuti iri panjodzi yekurwisa jekiseni. Nekuti maitiro ekuuraya anoongorora mitsara yega yega yakadhindwa muSTDOUT yemirairo yekufambisa, yega yega GitHub chiito chine zvinyorwa zvisina kuvimbika sechikamu chekuitwa kwayo zvine njodzi.
Muzviitiko zvakawanda, kugona kumisikidza zvinopesana nzvimbo nharaunda kunoguma kure kodhi kuitisa nekukurumidza kana kumwe kufambiswa kwebasa kuchimhanya. Ndapedza imwe nguva ndichitarisa akakurumbira maGitHub repositori uye chero chero chirongwa chinoshandisa zviomarara zviito zveGitHub zviri panjodzi yerudzi rwebug.
Gare gare akapa mimwe mienzaniso yekuti mabug angashandiswa sei uye zvakare vakurudzira mhinduro:
“Handina chokwadi chekuti ndeipi nzira yakanaka yekuzvigadzirisa. Ini ndinofunga nzira iyo yekushambadzira kwemirairo inoitwa haina kunyatso chengeteka. Kuderedza iyo v1 yekuraira syntax uye kusimbisa set-env nerunyorwa runyorwa zvingangoshanda zvinopesana yakananga RCE maveji.
“Zvisinei, kunyangwe kugona kupfuudza 'zvakajairika' nharaunda dzakashandisirwa mumatanho ekupedzisira zvimwe kwakakwana kushandisa zviito zvakaomarara. Kana ini handina kuongorora kukosheswa kwesimba kwemamwe masimba munzvimbo yebasa.
Pane rimwe divi, taura kuti yakanaka mhinduro yenguva refu chingave chiri chekufambisa kufamba kwemirayiridzo kune imwe chiteshi (semuenzaniso nyowani faira dudziro) kudzivirira kupatsanurwa ne STDOUT, asi izvi zvinoputsa yakawanda iripo kodhi yekuita.
Kana iri GitHub, vagadziri vayo vakatumira kuraira muna Gumiguru 1 uye vakashoreka mirairo isina njodzi, asi vakapokana kuti izvo zvakawanikwa naWilhelm zvaive "kutetepa zvine mwero." GitHub yakapa chinongedzo chebug CVE-2020-15228:
"Kudzvanyirirwa zvine mwero kwekuchengetedzwa kwave kuonekwa munguva yeGitHub Actions iyo inogona kubvumira jekiseni remakwara nemamiriro ezvinhu enharaunda mukufashukira kwemabasa kunovhara data risina kuvimbwa ku STDOUT. Izvi zvinogona kutungamira kune kuunzwa kana kushandurwa kwemamiriro ekunze pasina chinangwa chemunyori webasa rekufambisa.
"Kutibatsira kugadzirisa dambudziko iri uye kukubvumidza musimba kuseta nharaunda, takaunza seti nyowani yemafaira ekugadzirisa nharaunda uye nzira dzekuvandudzwa kwenzira dzekufashukira.
“Kana iwe uri kushandisa yako yega-inomiririra ma broker, ita shuwa kuti ivo vakagadziridzwa kuita vhezheni 2.273.1 kana kupfuura.
Sekureva kwaWilhelm, musi waGumiguru 12, Project Zero akabata GitHub uye nekukurumidza akavapa hwindi yemazuva gumi nemana kana GitHub ichida nguva yakawanda yekuremadza mirairo iri panjodzi. Ehezve, iko kupihwa kwakagamuchirwa uye GitHub yaive netarisiro yekuremadza iyo isina njodzi mirairo mushure maGumiguru 14. Project Zero yakabva yaisa zuva idzva rekuzivisa muna Mbudzi 19.
mabviro: https://bugs.chromium.org