@joernchen reported an issue that could potentially allow an attacker to set arbitrary environment variables on GitHub.com frontend servers during SSH Git operations. After review and modifications to the intial submission, we were able to identify a set of circumstances in which this was possible.
Environment variables were being set based on key/value pairs being passed over HTTP from one backend service to another. By injecting metacharacters in user controlled values, an attacker would have been able to add arbitrary key/value pairs. @joernchen also shared a few tricks that could have allowed an attacker to leaverage this vulnerability to execute arbitrary commands.
We addressed the vulnerability by stripping metacharacters from user controlled data before using it in environment variables. We have also performed a full audit of related code to ensure that there were no similar vulnerabilities.