No platform is free from vulnerabilities. The bugs are waiting to be found, and it's either hackers or security researchers who will first discover them.
This time, security researchers from Google Project Zero, the team that seeks bugs in popular software, has disclosed what it classes a high-severity flaw on GitHub. The bug resides in GitHub's Actions feature, the developer workflow automation tool.
Google Project Zero is known to be generally strict with its 90-day deadline for disclosing bugs. But in this case, it gave in when the code-hosting platform asked for an extension on the normal 90-day disclosure deadline.
But when it asked for another extension, the team at Google Project Zero cannot comply. Seeing that GitHub was a little lax in its responses, even when the deadline approached after Google gave it every chance to fix the bug, the team had no choice but to disclose the bug to the public.
More than 95.8% of software flaws are fixed within Google's specified deadline, according to Google's team.
And GitHub in failing to patch the bug marks one of the rare moment a platform failed to fix a bug before Google Project Zero's deadline + grace period is expired.
According to Google Project Zero's Felix Wilhelm in a blog post, GitHub Actions' workflow commands are "highly vulnerable to injection attacks".
"I've spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class."
Wilhelm also provided a Proof-of-Concept for the bug.
In a disclosure timeline, the team first reported the bug to GitHub on July 21. What this means, the 90-day deadline was on October 18.
GitHub acknowledged the bug, issued an advisory on October 1. It also assigned the bug the tracking identifier CVE-2020-15228.
But because the team at Google saw no fix, on October 12, the team again contacted GitHub and offered it a 14-day grace period, if ever GitHub wanted more time to fix the bug.
GitHub that took the grace period offer, and Google Project Zero extended the disclosure date to November 2.
Waiting but again receiving no further response or fix, Google Project Zero again contacted GitHub on October 28, to alert GitHub that the deadline was about to expire. Again, no response.
Google Project Zero then contacted GitHub through informal means, and received a respond, saying that "the issue is considered fixed and that [GPZ] are clear to go public on 2020-11-02 as planned", explained Wilhelm.
However, a day before the deadline, GitHub officially responded, and requested another two days period.
"GitHub responds and mentions that they won't be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a 'hard date' at some point in the future," wrote Wilhelm.
And after November 2, seeing GitHub's failure to respond or fix the bug, the team at Google was forced to disclose the bug. This is because as per its policy, Google may not offer an extension beyond the 104 days – 90 days plus 14 days' grace.
"Grace periods will not be granted for vulnerabilities that are expected to take longer than 104 days to fix," as Google Project Zero stated on its 2020 disclosure policy.
Previously, Microsoft also failed to fix a zero-day bug found on its Windows operating system, leading to Google Project Zero in disclosing the bug to the public.
About three months after first being notified, GitHub finally fixed the high severity security flaw reported to it by Google Project Zero.
GitHub fixed it by disabling the feature's old runner commands, set-env and add-path, as per Wilhelm's suggestion. The fix was implemented on November 16, or two weeks after Wilhelm publicly disclosed the issue.