Jsoref

**Name of the Vulnerable Software and Affected Versions** tj-actions/verify-changed-files versions prior to 17 **Description** The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB TOKEN` if triggered on other events than `pull request`. **Recommendations** To resolve the issue, update to version 17 or later, which enables `safe output` by default and returns filename paths escaping special characters for bash environments. As a temporary workaround, consider using environment variables to store unsafe outputs, such as `CHANGED FILES`, to minimize the risk of exploitation. For example: ```yaml - name: List all changed files tracked and untracked files env: CHANGED FILES: ${{ steps.verify-changed-files.outputs.changed files }} run: | echo "Changed files: $CHANGED FILES" ```

**Name of the Vulnerable Software and Affected Versions** tj-actions/changed-files versions prior to 41.0.0 **Description** The `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. The action returns a list of files changed in a commit or pull request, which provides an `escape json` input that only escapes `"` for JSON values. This could potentially allow filenames that contain special characters such as `;` and `` ` `` (backtick) to be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB TOKEN` if triggered on other events than `pull request`. **Recommendations** For versions prior to 41.0.0, upgrade to version 41.0.0 or later to address the issue. As a temporary workaround, consider using environment variables to store unsafe outputs, and ensure that the output value is not used in a raw fashion inside a `run` block. For example, use the following code: ``` - name: List all changed files env: ALL CHANGED FILES: ${{ steps.changed-files.outputs.all changed files }} run: | for file in "$ALL CHANGED FILES"; do echo "$file was changed" done ```