Skip to content

GH Actions: always use env for handling user input #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

GH Actions: always use env for handling user input #21

wants to merge 1 commit into from

Conversation

@jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 18, 2025

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

Ref:

@jrfnl
GH Actions: always use env for handling user input
9bf0259 
> GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.
>
> Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title).

Ref:
* https://securitylab.github.com/resources/github-actions-untrusted-input/
* https://docs.zizmor.sh/audits/#template-injection
@jrfnl jrfnl added this to the 1.x Next milestone Sep 18, 2025
@jrfnl
Copy link
Member Author

jrfnl commented Sep 18, 2025

@BinaryKitten @fredden Would either of you have time to review this PR ? As this is bash and the PR is largely auto-generated via zizmor, with a fixer in beta, I would very much appreciate a second opinion on whether these fixes look correct.

@jrfnl
Copy link
Member Author

jrfnl commented Sep 18, 2025

FYI, there are three more of the same kind of issues reported via zizmor, which it didn't auto-fix (but which may need fixing):

error[template-injection]: code injection via template expansion
  --> .\action.yml:67:22
   |
62 |       run: |
   |       --- this run block
...
67 |           if [[ "${{ endsWith( env.XSD_FILE, '.xsd' ) }}" == "false" ]]; then
   |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → Unknown

error[template-injection]: code injection via template expansion
   --> .\action.yml:108:22
    |
103 |       run: |
    |       --- this run block
...
108 |           if [[ "${{ startsWith( env.XSD_URL, 'http://' ) || startsWith( env.XSD_URL, 'https://' ) || startsWith( env.XSD_URL, 'ftp://' ) }}...
    |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Unknown

error[template-injection]: code injection via template expansion
   --> .\action.yml:112:24
    |
103 |       run: |
    |       --- this run block
...
112 |           elif [[ "${{ endsWith( env.XSD_URL, '.xsd' ) }}" == "false" ]]; then
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Unknown

@fredden
Copy link
Member

fredden commented Sep 18, 2025

ends with and starts with look like GitHub Actions special functions. Those can be rewritten in bash syntax. Looking at the code though, I don't understand how these can expand into attacker-controlled code. Is there a reference that explains this case?

@jrfnl
Copy link
Member Author

jrfnl commented Sep 18, 2025

ends with and starts with look like GitHub Actions special functions. Those can be rewritten in bash syntax. Looking at the code though, I don't understand how these can expand into attacker-controlled code. Is there a reference that explains this case?

Yeah, my own imagination is running short a bit on these too, but here's an article someone pointed me too, which I still have to read myself too: https://www.synacktiv.com/publications/github-actions-exploitation-untrusted-input

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fredden fredden fredden approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Type: chores/QA Type: enhancement

Projects

None yet

Milestone

1.x Next

Development

Successfully merging this pull request may close these issues.

2 participants

@jrfnl @fredden