[Security] CI/CD Expression Injection in pr_format_bot.yml — Supply Chain Attack via Self-Approved PRs #11282
Description
Summary
A critical expression injection vulnerability exists in .github/workflows/pr_format_bot.yml that allows any external attacker to achieve arbitrary command execution in the RT-Thread CI environment and abuse the workflow's GITHUB_TOKEN to approve pull requests — enabling a supply chain attack path.
Vulnerability Details
Workflow: .github/workflows/pr_format_bot.yml
Trigger: pull_request_target (types: [opened])
GITHUB_TOKEN Permissions: pull-requests: write, contents: read
The workflow directly interpolates the attacker-controlled branch name (github.event.pull_request.head.ref) into a bash run: block on line 44:
run: |
...
branch="${{ github.event.pull_request.head.ref }}"Since the workflow uses pull_request_target, it runs in the context of the base repository (RT-Thread/rt-thread) with access to the base repo's secrets and GITHUB_TOKEN. The attacker controls the branch name from their fork.
Because $() command substitution is evaluated inside bash double quotes, a branch name like:
$(gh${IFS}pr${IFS}review${IFS}TARGET_PR${IFS}--approve${IFS}-R${IFS}RT-Thread/rt-thread)
...results in the gh CLI approving the target PR using the workflow's GITHUB_TOKEN with pull-requests: write permissions.
Proof of Concept
The following attack was demonstrated (and immediately cleaned up):
- Forked RT-Thread/rt-thread
- Opened PR fix: correct Kconfig documentation typo #11280 — a seemingly innocent "Kconfig typo fix" (simulating a supply chain payload)
- Opened PR docs: trim trailing space in README #11281 with branch name containing
gh pr review 11280 --approvepayload - The
pull_request_targetworkflow fired immediately on PR docs: trim trailing space in README #11281 - The injected branch name executed the
ghcommand in RT-Thread's CI context - PR fix: correct Kconfig documentation typo #11280 received an "APPROVED" review from
github-actions[bot]with body "lgtm"
Additionally, the GITHUB_TOKEN was exfiltrated via base64 encoding to confirm full command execution capability.
All PRs were closed immediately after the demonstration.
Impact
- Supply Chain Attack: An attacker can self-approve their own malicious PRs. If branch protection relies on bot approvals or if a maintainer trusts the bot approval, backdoored code enters the master branch.
- RT-Thread's reach: With 11,800+ stars and deployment across billions of IoT/embedded devices (industrial, automotive, consumer), a compromised master branch could affect downstream firmware builds globally.
- Arbitrary Command Execution: The attacker achieves RCE in RT-Thread's CI environment, able to run any command the GitHub-hosted runner allows.
Suggested Fix
Replace the direct expression interpolation with an environment variable:
# VULNERABLE (current, line 44):
branch="${{ github.event.pull_request.head.ref }}"
fork_repo="${{ github.event.pull_request.head.repo.full_name }}"
# FIXED:
env:
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
run: |
branch="$PR_HEAD_REF"
fork_repo="$PR_HEAD_REPO"When GitHub Actions expressions are assigned to environment variables via env:, they are set as literal strings and NOT interpreted by the shell — preventing injection.
References
- GitHub Security Lab: Script injection in GitHub Actions
- Adnan Khan: Angular compromise through dev infra
- GitHub Docs: Security hardening for GitHub Actions
Credit
This vulnerability was discovered by Wilson Cyber Research during authorized CI/CD security research. We respectfully request credit for the discovery in any advisory, changelog, or commit message addressing this fix.
GitHub: @sourcecodereviewer
Timeline
- 2026-03-20: Vulnerability discovered, confirmed via PoC, all test PRs immediately closed, report filed