[feature] Add new script injection input
hugo-syn opened this issue · comments
Hi,
Using the syntax ${{ env.FOO }}
for accessing environment variable can cause severe security issues, it's recommended to use the regular shell syntax $FOO
or $Env:FOO
for PowerShell.
Here is a vulnerable workflow example:
name: Test
on:
issues:
types: [opened]
jobs:
dummyjob:
runs-on: ubuntu-latest
steps:
- name: Injection step
run: |
ls -asl
echo "${{ env.BODY }}" > body.log
cat body.log
ls -asl
env:
BODY: ${{ github.event.issue.body }}
An attacker could open the following issue to get arbitrary code execution inside the GitHub runner:
Closing first double quote"; echo "running code here" > pwned.txt ; echo "closing last double quote
As a result the file pwned.txt
is created:
Using this workflow would prevent the command injection vulnerability:
name: Test
on:
issues:
types: [opened]
jobs:
dummyjob:
runs-on: ubuntu-latest
steps:
- name: Injection step
run: |
ls -asl
echo "$BODY" > body.log
cat body.log
ls -asl
env:
BODY: ${{ github.event.issue.body }}
I already made a PR for this #332, but you asked for an issue where we can discuss this.
If you don't want to raise an alert for using ${{ env.FOO }}
could we at least allow a wildcard character like in the PR to allow peoples to add new untrusted inputs ?