Skip to content

fix: github workflow vulnerable to script injection #984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
diogoteles08 wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: github workflow vulnerable to script injection #984

diogoteles08 wants to merge 1 commit into from

Conversation

@diogoteles08
Copy link

@diogoteles08 diogoteles08 commented Aug 14, 2024

Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.

In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.

You can find more information about this on this github documentation or in this gitguardian blogpost.

Cheers!

@diogoteles08
fix: github workflow vulnerable to script injection
de6be73 
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@diogoteles08