DYN-10536: Command injection in issue_type_predicter.yml GitHub Actions workflow#17122
Conversation
…ed the Remove Quotes step.
There was a problem hiding this comment.
See the ticket for this pull request: https://jira.autodesk.com/browse/DYN-10536
There was a problem hiding this comment.
Pull request overview
Mitigates a command-injection risk in the issue_type_predicter.yml GitHub Actions workflow by preventing untrusted issue content from being interpolated directly into shell commands, and by tightening workflow token permissions.
Changes:
- Added workflow-level least-privilege
permissions(issues: write,contents: read). - Removed the quote-stripping step and the
frabert/replace-string-actiondependency; simplified issue body/title handling. - Hardened command invocation by passing the issue JSON via step
envand quoting variables; improvedgh issue editargument handling.
| run: | | ||
| echo "analysis_response=$(pwsh .\\.github\\scripts\\issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}")" >> $GITHUB_ENV | ||
| response=$(pwsh ./.github/scripts/issue_analyzer.ps1 "${{ env.template }}" "${{ env.acceptable_missing_info }}") | ||
| echo "analysis_response=$response" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
Fixed across all four $GITHUB_ENV writes (analyze, clean, create-json, run-predicter). Used the documented VAR<<DELIM ... DELIM heredoc form with a per-write random delimiter.
| run: | | ||
| echo "parsed_issue_body="$(pwsh .\\.github\\scripts\\issue_body_cleaner.ps1 )"" >> $GITHUB_ENV | ||
| parsed=$(pwsh ./.github/scripts/issue_body_cleaner.ps1) | ||
| echo "parsed_issue_body=$parsed" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
Fixed across all four $GITHUB_ENV writes (analyze, clean, create-json, run-predicter). Used the documented VAR<<DELIM ... DELIM heredoc form with a per-write random delimiter.
RobertGlobant20
left a comment
There was a problem hiding this comment.
Just one comment for testing this changes in your own repo
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
jasonstratton
left a comment
There was a problem hiding this comment.
I think it looks good. I just would like Ashish's opinion on the potential for security risk.
|
One comment, that matches what @RobertGlobant20 already flagged. |
…h double-quoted string
RobertGlobant20
left a comment
There was a problem hiding this comment.
LGTM just re-execute the DynamoSelfServe job and update your branch
…njection_in_Workflow_
…thub.com/DynamoDS/Dynamo into DYN-10536_Command_injection_in_Workflow_





Purpose
Received an external security vulnerability report via Autodesk PSIRT, about the #issue_type_predicter.yml GitHub Actions workflow, specifically a command injection risk. This issue highlights that the workflow's current implementation allows untrusted input to be passed directly into shell commands without proper sanitization, potentially enabling attackers to execute arbitrary commands. The ticket emphasizes the need to validate and sanitize all inputs used in shell commands to mitigate this risk. It recommends updating the workflow to use safer practices, such as leveraging parameterized commands or escaping inputs, to ensure the security of the CI/CD pipeline.
Declarations
Check these if you believe they are true
Release Notes
Summary of changes to issue_type_predicter.yml
permissions:block (issues: write,contents: read).GITHUB_TOKENblast radius if injection is ever reintroduced.Remove Quotesstep and dropped thefrabert/replace-string-action@v2.5dependency.", only from body, never from title). Unnecessary once values flow viaenv:.Run Issues Type Predicter— the actual CVE fix:${{ env.issue_json_string }}moved into a step-levelenv: ISSUE_JSON:and the bash script reads"$ISSUE_JSON".Analyze Issue Body/Clean Issue Body—ISSUE_BODY/ISSUE_BODY_PARSEDnow read fromgithub.event.issue.bodydirectly (no longer routed through the deletedRemove Quotesstep).$env:ISSUE_BODY/$env:ISSUE_BODY_PARSED, so bash never sees the value. Safe by construction."$GITHUB_ENV"inecho ... >> "$GITHUB_ENV"calls.echo "var="$(...)""triple-quote concatenation was fragile..\\.github\\scripts\\...) → forward slashes (./.github/scripts/...).ubuntu-latest; forward slashes are unambiguous in bash.Reviewers
@jasonstratton @RobertGlobant20
FYIs
@eamiri