Brave UX for-the-badge combine-prs.yml os command injection

Vulnerability

The vulnerability resides in the .github/workflows/combine-prs.yml workflow of the Brave UX for-the-badge repository. The workflow uses the output of a step (steps.fetch-branch-names.outputs.result) directly in a shell command without sanitization, leading to OS command injection [1][2]. The affected code is in the run block that echoes the branch names and later uses steps.fetch-branch-names.outputs.prs-string in a JavaScript template literal. The patch (commit 55b5a234c0fab935df5fb08365bc8fe9c37cf46b) addresses this by passing the values through environment variables instead of direct interpolation [2].

Exploitation

An attacker can exploit this vulnerability by submitting a pull request with a branch name containing shell metacharacters (e.g., backticks, $(), ;). When the workflow executes, the unsanitized branch name is interpolated into the shell command, allowing arbitrary command execution. No authentication beyond a GitHub account is required to create a pull request against the repository.

Impact

Successful exploitation results in arbitrary OS command execution within the GitHub Actions runner environment. This could allow an attacker to exfiltrate secrets (e.g., GITHUB_TOKEN), modify repository contents, or perform other actions with the privileges of the workflow runner.

Mitigation

The vulnerability is fixed in commit 55b5a234c0fab935df5fb08365bc8fe9c37cf46b [2]. Users should update their repository to include this patch. No workarounds have been disclosed. The repository may be archived; if so, consider migrating to an alternative solution.