The bug was discovered by Project Zeros Felix Wilhelm on July 21.
These workflow commands act as a communication channel between the Action runner and the executed action.
The big problem with this feature is that it is highly vulnerable to injection attacks.
The advisory urged users to update their workflows.
This can result in environment variables being introduced or modified without the intention of the workflow author.
If you are using self-hosted runners check that they are updated to version 2.273.1 or greater.
Wilhelm said that workflow commands in GitHub Action are hard to fix.
The way workflow commands are implemented is fundamentally insecure.
GitHubs solution is to gradually remove the risky commands permanently.
The developer platform accepted the offer knowing that the bug would be publicly disclosed on November 2.
GitHub responds and mentions that they wont be disabling the vulnerable commands by 2020-11-02.
source: www.techworm.net
