Skip to content

Prevent script injection in GitHub Actions workflows#2355

Open
ShubhamChaturvedi7 wants to merge 1 commit into
mainfrom
fix/gha-script-injection
Open

Prevent script injection in GitHub Actions workflows#2355
ShubhamChaturvedi7 wants to merge 1 commit into
mainfrom
fix/gha-script-injection

Conversation

@ShubhamChaturvedi7

@ShubhamChaturvedi7 ShubhamChaturvedi7 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the Script Injection in GitHub Actions workflows (V2263112241).

Untrusted GitHub context values were interpolated directly into inline run: shell scripts, which allows an attacker-controlled value to be evaluated as shell code on the runner. This change binds those values to env: variables and references them as quoted shell variables, so they are treated as data rather than executable script.

Changes

.github/workflows/go-release.yml

  • Get release directory nameproject-name / version inputs moved to env ($PROJECT_NAME, $VERSION).
  • Run Go release automation script — same, and arguments quoted.
  • print diff...project-name and releaseDirName moved to env; paths quoted.

.github/workflows/smithy-diff.yml

  • Check if FILES is not emptypull_request.user.login, github.actor, and github.repository moved to env ($PR_USER, $ACTOR, $REPO) and referenced as shell variables in the comment/curl body.

Testing

  • Both workflow files validated as parseable YAML.
  • Verified no ${{ github.event* }}, ${{ github.actor }}, or ${{ steps.* }} interpolations remain inside any run: block — all such values are now in env: blocks (the recommended safe pattern).

Notes

  • Behavior is unchanged; only how untrusted values reach the shell.
  • The Generate a changelog step uses releaseDirName in a with: args: (an action input, not a run: shell body) and is workflow-generated, so it was not part of the finding and is left unchanged.

sim: https://t.corp.amazon.com/V2263112241

Untrusted GitHub context (workflow_dispatch inputs, PR author login,
github.actor) was interpolated directly into inline run: scripts,
allowing shell script injection into the runner.

Bind these values to env: variables and reference them as quoted shell
variables so they are never evaluated as shell code. Fixes ACAT finding
for go-release.yml and smithy-diff.yml.

sim: https://t.corp.amazon.com/V2263112241
@ShubhamChaturvedi7 ShubhamChaturvedi7 requested a review from a team as a code owner July 15, 2026 23:02
@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant