Feature Request: checking workflow inputs for Untrusted input
johnpangalos opened this issue · comments
Action lint already does this for the github context, could/should it consider workflow input fields as "untrusted" as well? I don't mind making a PR for this as well if needed.
Thanks for your suggestion.
I agree that workflow inputs can be untrusted since an untrusted value may be derived from other context properties.
It depends on how the input is used in caller site. For example, using foo
in call-workflow1
call, but it is not untrusted in call-workflow2
call.
Caller:
jobs:
call-workflow1:
uses: org/repo/.github/workflows/reusable-workflow.yml@main
with:
# The input `foo` is untrusted
foo: ${{ github.event.issue.body }}
call-workflow2:
uses: org/repo/.github/workflows/reusable-workflow.yml@main
with:
# The input `foo` is not untrusted
foo: test
Callee:
on:
workflow_call:
inputs:
foo:
type: string
jobs:
test:
runs-on: ubuntu-latest
steps:
# This `inputs.foo` access may or may not be untrusted
- run: echo ${{ inputs.foo }}
The option is always reporting that the input is untrusted. This means it would cause so many false-positives since actionlint reports an error whenever any input is used in run:
. I agree that it's safer, but it would annoy users.