In early November, Google publicly revealed a “high” severity security vulnerability that its Project Zero team discovered in Microsoft-owned GitHub, after previously privately disclosing it to GitHub and given time to correct the vulnerability. Due to the expiration of the deadline imposed by Project Zero, Google publicly disclosed it (via Neowin).
104 days later, GitHub finally fixed the flaw.
The flaw surrounded the functionality of GitHub’s workflow commands, which is the community between Action Runner and the actions performed. This is part of the Actions feature of GitHub. Google’s Project Zero claimed the feature was “fundamentally insecure,” and the member of the group that reported the flaw, Felix Wilhelm, offered 2 possible solutions, one being a short-term fix and the other. a long term solution.
It looks like GitHub has picked up on the short term fix, at least for now. Status of GitHub patch notes:
- Disable old set-env and add-path runtime commands
- update dotnet install scripts
- update runner version and release notes
Nevertheless, users can now be assured that this flaw has been fixed.