IProject Zero ikhiphe imininingwane yokwephula okukhulu kwezokuphepha kwiGitHub futhi bayakubika lokho iphutha lithinta imiyalo yokuhamba komsebenzi wesenzo kusuka eGitHub futhi ichazwa njengobunzima obukhulu. (Le bug yatholwa ngoJulayi, kepha ngaphansi kwesikhathi esivamile sokudalulwa kwezinsuku ezingama-90, imininingwane ikhishwe manje.)
Leli phutha laba ngenye yezingcuphe ezimbalwa ezingalungisiwe kahle ngaphambi kokuphela kwesikhathi esibekiwe sezinsuku ezingama-90 esinikezwe yi-Google Project Zero.
Ngokusho kukaFelix Wilhelm (ngubani owakuthola), ilungu leqembu leProject Zero, iphutha lithinta umsebenzi wezenzo zeGitHub, ithuluzi lokuzenzekelayo umsebenzi wabathuthukisi. Lokhu kungenxa yokuthi imiyalo yokuhamba komsebenzi ye-Actions "isengozini yokuhlaselwa umjovo":
“I-Actions Github isekela isici esibizwa ngemiyalo yokuhamba komsebenzi njengesiteshi sokuxhumana phakathi komgijimi we-Action nesenzo esenziwe. Imiyalo yokugeleza komsebenzi iyasetshenziswa ku / src / Runner.Worker / ActionCommandManager.cs futhi isebenza ngokuhlaziya i-STDOUT yazo zonke izenzo ezenziwa ngokubheka omunye wemaki yomyalo emibili.
Yisho lokho inkinga enkulu ngalesi sici ukuthi isengozini enkulu ekuhlaselweni umjovo. Ngoba inqubo yokwenza iskena wonke umugqa ophrintiwe ku-STDOUT wemiyalo yokuhamba komsebenzi, sonke isenzo se-GitHub esiqukethe okuqukethwe okungathenjiwe njengengxenye yokwenziwa kwaso sengozini.
Ezimweni eziningi, ikhono lokusetha ukuguquguquka kwemvelo okungqubuzanayo kuholela ekusebenzeni kwekhodi ekude ngokushesha nje lapho okunye ukuhamba komsebenzi kusebenza. Ngichithe isikhathi esithile ngibheka izinqolobane ezidumile zeGitHub futhi cishe noma iyiphi iphrojekthi esebenzisa izenzo eziyinkimbinkimbi zeGitHub isengozini yalolu hlobo lwesiphazamisi.
Kamuva unikeze izibonelo ezithile zokuthi le bug ingasetshenziswa kanjani futhi ngiphakamise nesixazululo:
“Anginaso isiqiniseko sokuthi iyiphi indlela engcono yokukulungisa. Ngicabanga ukuthi indlela imiyalo yokugeleza komsebenzi okwenziwa ngayo ayiphephile ngokuyisisekelo. Ukudlulisa umyalo we-v1 syntax kanye nokuqinisa i-enget-env ngohlu lokuvumela kungenzeka kusebenze ngokuqondana ngqo namavethi e-RCE.
“Kodwa-ke, ngisho nekhono lokweqa ukwehluka kwemvelo 'okujwayelekile' okusetshenziswe ezinyathelweni zakamuva cishe kwanele ukusizakala ngezenzo eziyinkimbinkimbi ngokwengeziwe. Futhi angizange ngihlaziye umthelela wokuphepha kwezinye izilawuli endaweni yokusebenza.
Ngakolunye uhlangothi, yisho ukuthi yisixazululo esihle sesikhathi eside kungaba ukuhambisa imiyalo yokuhamba komsebenzi iye kusiteshi esihlukile (isb. isichazi sefayela esisha) ukugwema ukuhlukaniswa yi-STDOUT, kepha lokhu kuzophula ikhodi yesenzo esivele ikhona.
Ngokuqondene neGitHub, abathuthukisi bayo bathumela izeluleko ngo-Okthoba 1 futhi bayihoxisa imiyalo esengozini, kodwa bathi lokho okutholwe nguWilhelm empeleni bekungukungabi sengozini kwezokuphepha. IGitHub inikeze isihlonzi sesiphazamisi i-CVE-2020-15228:
“Kutholwe ukuba sengozini yokuphepha okusesilinganisweni esikhathini sokusebenza se-GitHub Actions esivumela ukujovwa kwezindlela nokuguquguquka kwemvelo ekuhambeni komsebenzi okufaka idatha engathembekile ku-STDOUT. Lokhu kungaholela ekwethulweni noma ekuguqulweni kokuguquguqukayo kwemvelo ngaphandle kwenhloso yombhali wokuhamba komsebenzi.
“Ukusisiza ukuxazulula le nkinga nokukuvumela ukuba usethe ngokuguquguqukayo imvelo okuguqukayo, sethule isethi entsha yamafayela ukusingatha imvelo nokuvuselelwa kwendlela ku-workflows.
“Uma usebenzisa ama-self-hosted broker, qiniseka ukuthi avuselelwa kwinguqulo 2.273.1 noma ngaphezulu.
Ngokusho kukaWilhelm, ngo-Okthoba 12, iProject Zero yaxhumana neGitHub futhi yabanikeza iwindi lezinsuku eziyi-14 uma iGitHub ifuna isikhathi esithe xaxa sokukhubaza imiyalo esengozini. Vele, ukunikezwa kwamukelwa futhi iGitHub yayithemba ukukhubaza imiyalo esengozini ngemuva kuka-Okthoba 19. IProject Zero bese isetha usuku olusha lokuveza ulwazi ngoNovemba 2.
Umthombo: https://bugs.chromium.org