CVE-2023-51664

Name of the Vulnerable Software and Affected Versions tj-actions/changed-files versions prior to 41.0.0

Description The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. The action returns a list of files changed in a commit or pull request, which provides an escape json input that only escapes " for JSON values. This could potentially allow filenames that contain special characters such as ; and ` (backtick) to be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion inside a run block. By running custom commands, an attacker may be able to steal secrets such as GITHUB TOKEN if triggered on other events than pull request.

Recommendations For versions prior to 41.0.0, upgrade to version 41.0.0 or later to address the issue. As a temporary workaround, consider using environment variables to store unsafe outputs, and ensure that the output value is not used in a raw fashion inside a run block. For example, use the following code:

- name: List all changed files
 env:
  ALL CHANGED FILES: ${{ steps.changed-files.outputs.all changed files }}
 run: |
  for file in "$ALL CHANGED FILES"; do
   echo "$file was changed"
  done