Indirect and Obfuscated Injection Attacks Bypass Detection (Critical Scanner Blindspot)

[harekrishnarai]

🐛 Bug Description

The injection and script injection rules in Flowlyt focus only on direct string/object interpolation and miss indirect and obfuscated injection patterns. This can result in critical shell/code injection vulnerabilities being missed in production workflows.

Missed Patterns Example:

# Indirect via variable then eval
run: |
  USER_DATA="${{ github.event. issue.title }}"
  eval "process_$USER_DATA"  # Injection context not flagged

# Encoded/obfuscated attack
run: |
  DATA=$(echo "${{ github.event. comment.body }}" | base64)
  echo $DATA | base64 -d | sh

# Heredoc/multiline injection
run: |
  cat <<EOF | bash
  echo ${{ github.event.pull_request.title }}
  EOF

📋 Reproduction Steps

1. Use the above patterns in a workflow
2. Scan with Flowlyt (default or strict rules)
3. No injection vulnerability is reported

💻 Environment Details

• Platform: GitHub Actions/GitLab
• Flowlyt Version: main branch

💡 Additional Notes

• Data flow/AST-based injection analysis is needed.
• Improve support for detecting obfuscated and multi-step injection exploits.
• Current regexes are not sufficient for real-world attacker TTPs.

Related: test/sample-workflow.yml