Prevent script injection in GitHub Actions workflows#2355
Open
ShubhamChaturvedi7 wants to merge 1 commit into
Open
Prevent script injection in GitHub Actions workflows#2355ShubhamChaturvedi7 wants to merge 1 commit into
ShubhamChaturvedi7 wants to merge 1 commit into
Conversation
Untrusted GitHub context (workflow_dispatch inputs, PR author login, github.actor) was interpolated directly into inline run: scripts, allowing shell script injection into the runner. Bind these values to env: variables and reference them as quoted shell variables so they are never evaluated as shell code. Fixes ACAT finding for go-release.yml and smithy-diff.yml. sim: https://t.corp.amazon.com/V2263112241
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the Script Injection in GitHub Actions workflows (V2263112241).
Untrusted GitHub context values were interpolated directly into inline
run:shell scripts, which allows an attacker-controlled value to be evaluated as shell code on the runner. This change binds those values toenv:variables and references them as quoted shell variables, so they are treated as data rather than executable script.Changes
.github/workflows/go-release.ymlGet release directory name—project-name/versioninputs moved toenv($PROJECT_NAME,$VERSION).Run Go release automation script— same, and arguments quoted.print diff...—project-nameandreleaseDirNamemoved toenv; paths quoted..github/workflows/smithy-diff.ymlCheck if FILES is not empty—pull_request.user.login,github.actor, andgithub.repositorymoved toenv($PR_USER,$ACTOR,$REPO) and referenced as shell variables in the comment/curlbody.Testing
${{ github.event* }},${{ github.actor }}, or${{ steps.* }}interpolations remain inside anyrun:block — all such values are now inenv:blocks (the recommended safe pattern).Notes
Generate a changelogstep usesreleaseDirNamein awith: args:(an action input, not arun:shell body) and is workflow-generated, so it was not part of the finding and is left unchanged.sim: https://t.corp.amazon.com/V2263112241