Merge pull request #420 from rajbos/copilot/validate-user-input-in-workflow

Author: rajbos

.github/instructions/workflows.instructions.md

@@ -0,0 +1,113 @@
+---
+applyTo: ".github/workflows/**"
+---
+
+# Workflow Security: Validating Untrusted User Input
+
+## Overview
+
+Workflows in this repository that are triggered by untrusted user input (issue
+bodies, PR descriptions, comments, branch names, etc.) **must** validate that
+input for hidden characters and potential prompt injection before processing it.
+
+This is especially important for workflows that pass user content to AI/LLM
+systems (e.g. GitHub Copilot agents), but also applies to any automated
+processing where a malicious actor could influence the workflow's behavior.
+
+## The Central Validation Script
+
+**`.github/workflows/validate-input.sh`** is the single, authoritative script
+for this check. It detects:
+
+| Threat | Description |
+|--------|-------------|
+| Bidirectional Unicode control characters | Trojan Source attack (CVE-2021-42574) — makes text look different to humans vs. AI |
+| Zero-width / invisible characters | Hidden text injected between visible characters, invisible to human reviewers |
+| Unicode tag characters (U+E0000–E007F) | Completely invisible; can encode arbitrary ASCII instructions |
+| Unicode variation selectors | Can steganographically encode hidden data |
+| HTML comment blocks (`<!-- ... -->`) | Stripped by GitHub's renderer but fully visible to LLMs processing raw Markdown |
+| Non-printable control characters | Unexpected control bytes that may confuse parsers |
+
+If any of the above are found, the script:
+1. **Posts a warning comment** to the issue or PR, listing every finding and
+   linking back to the workflow run that caught it.
+2. **Exits with a non-zero code**, failing the workflow job immediately so that
+   no further processing occurs on the untrusted content.
+
+## How to Use the Script in a Workflow
+
+Add a validation step **before** any step that reads or processes the untrusted
+input. The step must run after the repository is checked out (so the script file
+is available), and it needs a `GH_TOKEN` with write access to post comments.
+
+```yaml
+- name: Validate <input source> for hidden content
+  env:
+    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    INPUT_TEXT: ${{ github.event.issue.body }}   # ← the untrusted text
+    ITEM_NUMBER: ${{ github.event.issue.number }} # ← issue or PR number
+    REPO: ${{ github.repository }}
+    RUN_ID: ${{ github.run_id }}
+    SERVER_URL: ${{ github.server_url }}
+    CONTEXT_TYPE: issue          # "issue" or "pr"
+    FINDINGS_FILE: /tmp/validation-findings.txt
+  run: bash .github/workflows/validate-input.sh
+```
+
+For a pull request body, swap the event expressions and set `CONTEXT_TYPE: pr`:
+
+```yaml
+- name: Validate PR body for hidden content
+  env:
+    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    INPUT_TEXT: ${{ github.event.pull_request.body }}
+    ITEM_NUMBER: ${{ github.event.pull_request.number }}
+    REPO: ${{ github.repository }}
+    RUN_ID: ${{ github.run_id }}
+    SERVER_URL: ${{ github.server_url }}
+    CONTEXT_TYPE: pr
+    FINDINGS_FILE: /tmp/validation-findings.txt
+  run: bash .github/workflows/validate-input.sh
+```
+
+## Deciding Whether a Workflow Needs Validation
+
+Apply the validation step when **all** of the following are true:
+
+1. The workflow is triggered by a user-controllable event:
+   `issues`, `issue_comment`, `pull_request`, `pull_request_review`,
+   `pull_request_review_comment`, `discussion`, `discussion_comment`, etc.
+2. The workflow reads a **text field** from the event payload that a user wrote:
+   `.body`, `.title`, `.comment.body`, `.review.body`, branch names, etc.
+3. That text is subsequently processed by an automated system (especially an AI).
+
+You do **not** need the script for:
+- Purely numeric fields like `issue.number` or `pull_request.number`.
+- Internal, trusted triggers (`workflow_dispatch` with controlled inputs,
+  `push` to protected branches, `schedule`, etc.).
+- Metadata-only fields like `pull_request.draft` or `label.name`.
+
+## Permissions
+
+The validation step requires the `issues: write` (or `pull-requests: write`)
+permission on the job so the `gh` CLI can post the warning comment:
+
+```yaml
+jobs:
+  my-job:
+    permissions:
+      issues: write      # needed to post the warning comment
+      contents: read
+```
+
+## Keeping the Script Up to Date
+
+If you discover a new class of hidden-character or injection attack not already
+covered, add a new detection block to `.github/workflows/validate-input.sh`
+under its clearly-labelled sections. Keep detection logic inside the Python
+heredoc so Unicode handling is reliable across all runners.
+
+Document any new threat type with:
+- A short comment explaining the attack and why it is dangerous.
+- An example of the Unicode code points or patterns being detected.
+- A human-readable finding message added to the `findings` list.

.github/workflows/check-toolnames.yml

@@ -27,6 +27,18 @@ jobs:
         with:
           ref: main
 
+      - name: Validate issue body for hidden content
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_TEXT: ${{ github.event.issue.body }}
+          ITEM_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.run_id }}
+          SERVER_URL: ${{ github.server_url }}
+          CONTEXT_TYPE: issue
+          FINDINGS_FILE: /tmp/validation-findings.txt
+        run: bash .github/workflows/validate-input.sh
+
       - name: Check toolnames and post comment
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/validate-input.sh

@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+# validate-input.sh
+#
+# Central script for validating untrusted user input in GitHub Actions workflows.
+# Detects hidden Unicode characters, invisible text, and HTML comment injection
+# that could be used for prompt injection attacks against AI/LLM systems.
+#
+# Usage: source this script or call it directly after setting the required
+# environment variables listed below.
+#
+# Required environment variables:
+#   INPUT_TEXT   - The untrusted text to validate (e.g. issue body, PR body)
+#   ITEM_NUMBER  - Issue or PR number used to post a warning comment
+#   REPO         - Repository in "owner/repo" format
+#   GH_TOKEN     - GitHub token with permission to write comments
+#
+# Optional environment variables:
+#   CONTEXT_TYPE - "issue" or "pr" (default: "issue")
+#   RUN_ID       - Workflow run ID for linking back to this run
+#   SERVER_URL   - GitHub server URL (default: https://github.com)
+
+set -euo pipefail
+
+INPUT_TEXT="${INPUT_TEXT:-}"
+ITEM_NUMBER="${ITEM_NUMBER:-}"
+REPO="${REPO:-}"
+CONTEXT_TYPE="${CONTEXT_TYPE:-issue}"
+RUN_ID="${RUN_ID:-}"
+SERVER_URL="${SERVER_URL:-https://github.com}"
+
+FINDINGS_FILE="/tmp/validation-findings.txt"
+rm -f "$FINDINGS_FILE"
+
+echo "=== Validating untrusted user input for security threats ==="
+
+# Run the full Unicode and injection analysis in Python, which handles
+# Unicode categories reliably across all platforms.
+python3 - << 'PYEOF'
+import os
+import re
+import sys
+import unicodedata
+
+input_text = os.environ.get("INPUT_TEXT", "")
+findings = []
+
+MAX_INPUT_CHARS = 200_000  # guard against extremely large payloads (~200 KB of ASCII)
+if len(input_text) > MAX_INPUT_CHARS:
+    input_text = input_text[:MAX_INPUT_CHARS]
+    print("Warning: input was truncated to 200,000 characters for validation", file=sys.stderr)
+
+# ── 1. Bidirectional text control characters ─────────────────────────────────
+# These are used in the "Trojan Source" class of attacks (CVE-2021-42574).
+# They make rendered text appear different from the actual bytes, hiding
+# malicious instructions from human reviewers while LLMs still process them.
+BIDI_CHARS = {
+    0x200E: "LEFT-TO-RIGHT MARK",
+    0x200F: "RIGHT-TO-LEFT MARK",
+    0x202A: "LEFT-TO-RIGHT EMBEDDING",
+    0x202B: "RIGHT-TO-LEFT EMBEDDING",
+    0x202C: "POP DIRECTIONAL FORMATTING",
+    0x202D: "LEFT-TO-RIGHT OVERRIDE",
+    0x202E: "RIGHT-TO-LEFT OVERRIDE",
+    0x2066: "LEFT-TO-RIGHT ISOLATE",
+    0x2067: "RIGHT-TO-LEFT ISOLATE",
+    0x2068: "FIRST STRONG ISOLATE",
+    0x2069: "POP DIRECTIONAL ISOLATE",
+}
+found_bidi = [name for cp, name in BIDI_CHARS.items() if chr(cp) in input_text]
+if found_bidi:
+    findings.append(
+        "Bidirectional Unicode control characters detected "
+        f"({', '.join(found_bidi[:3])}{'...' if len(found_bidi) > 3 else ''}) — "
+        "these can make content appear different to humans than to AI systems "
+        "(Trojan Source / CVE-2021-42574)"
+    )
+
+# ── 2. Zero-width and invisible characters ────────────────────────────────────
+# Invisible to human readers but processed by AI models — ideal for hiding
+# secret instructions inside otherwise normal-looking text.
+INVISIBLE_CHARS = {
+    0x00AD: "SOFT HYPHEN",
+    0x200B: "ZERO WIDTH SPACE",
+    0x200C: "ZERO WIDTH NON-JOINER",
+    0x200D: "ZERO WIDTH JOINER",
+    0x2060: "WORD JOINER",
+    0xFEFF: "ZERO WIDTH NO-BREAK SPACE (BOM)",
+}
+found_invisible = [name for cp, name in INVISIBLE_CHARS.items() if chr(cp) in input_text]
+if found_invisible:
+    findings.append(
+        "Invisible/zero-width Unicode characters detected "
+        f"({', '.join(found_invisible[:3])}{'...' if len(found_invisible) > 3 else ''}) — "
+        "these are not visible to human reviewers but are processed by AI systems"
+    )
+
+# ── 3. Unicode tag characters (U+E0000–U+E007F) ───────────────────────────────
+# A block of characters originally reserved for language tags. Completely
+# invisible in most renderers but can encode arbitrary ASCII text.
+tag_chars = [c for c in input_text if 0xE0000 <= ord(c) <= 0xE007F]
+if tag_chars:
+    findings.append(
+        f"Unicode tag characters detected ({len(tag_chars)} character(s) in U+E0000–E007F range) — "
+        "these are fully invisible and can encode hidden ASCII messages"
+    )
+
+# ── 4. Variation selectors ────────────────────────────────────────────────────
+# Variation selectors modify the appearance of the preceding character but can
+# also be abused to encode hidden information steganographically.
+variation_selectors = [
+    c for c in input_text
+    if (0xFE00 <= ord(c) <= 0xFE0F) or (0xE0100 <= ord(c) <= 0xE01EF)
+]
+if variation_selectors:
+    findings.append(
+        f"Unicode variation selectors detected ({len(variation_selectors)} character(s)) — "
+        "these can be used to steganographically encode hidden data"
+    )
+
+# ── 5. HTML comments ──────────────────────────────────────────────────────────
+# HTML comments are stripped by GitHub's Markdown renderer, making them
+# invisible to human readers, but an LLM processing the raw source will see
+# and potentially act on any instructions hidden inside them.
+if re.search(r"<!--.*?-->", input_text, re.DOTALL):
+    findings.append(
+        "HTML comment block(s) detected (<!-- ... -->) — "
+        "these are hidden from the rendered view but visible to AI systems "
+        "processing the raw source, making them a common prompt injection vector"
+    )
+
+# ── 6. Non-printable control characters ──────────────────────────────────────
+# Excludes ordinary whitespace (tab, LF, CR) which are expected in text.
+ALLOWED_CONTROL = {0x09, 0x0A, 0x0D}  # HT, LF, CR
+control_chars = [
+    c for c in input_text
+    if unicodedata.category(c) == "Cc" and ord(c) not in ALLOWED_CONTROL
+]
+if control_chars:
+    findings.append(
+        f"Non-printable control characters detected ({len(control_chars)} character(s)) — "
+        "unexpected control characters may indicate an attempt to confuse parsers or renderers"
+    )
+
+# Write findings to a temp file so the calling shell script can build the comment
+findings_file = os.environ.get("FINDINGS_FILE", "/tmp/validation-findings.txt")
+with open(findings_file, "w") as fh:
+    for f in findings:
+        fh.write(f + "\n")
+
+if findings:
+    print(f"⚠️  Found {len(findings)} security concern(s) in input", file=sys.stderr)
+    sys.exit(1)
+else:
+    print("✅ No suspicious content detected", file=sys.stderr)
+    sys.exit(0)
+PYEOF
+VALIDATION_EXIT=$?
+
+if [ "$VALIDATION_EXIT" -ne 0 ]; then
+    WORKFLOW_URL="${SERVER_URL}/${REPO}/actions/runs/${RUN_ID}"
+
+    # Build the warning comment
+    {
+        echo "## ⚠️ Security Warning: Suspicious Input Detected"
+        echo ""
+        echo "This ${CONTEXT_TYPE} contains content that may be used for **prompt injection** — an attack that hides instructions inside text to manipulate AI/LLM systems processing it."
+        echo ""
+        echo "### Findings"
+        echo ""
+        while IFS= read -r line; do
+            echo "- ${line}"
+        done < "$FINDINGS_FILE"
+        echo ""
+        echo "### What this means"
+        echo ""
+        echo "Hidden Unicode characters or HTML comments can be invisible to human reviewers while still being read and acted upon by AI models. This is a known technique for injecting malicious instructions into AI-assisted workflows."
+        echo ""
+        echo "**Action required:** Please review and edit the ${CONTEXT_TYPE} to remove any hidden characters before this workflow can proceed. If you believe this is a false positive, please contact a repository maintainer."
+        echo ""
+        if [ -n "${RUN_ID}" ]; then
+            echo "_Detected by [workflow run #${RUN_ID}](${WORKFLOW_URL})_"
+        else
+            echo "_Detected by an automated security validation step._"
+        fi
+    } > /tmp/security-comment.md
+
+    echo "=== Posting security warning comment to ${CONTEXT_TYPE} #${ITEM_NUMBER} ==="
+    if [ "${CONTEXT_TYPE}" = "pr" ]; then
+        gh pr comment "${ITEM_NUMBER}" --repo "${REPO}" --body-file /tmp/security-comment.md
+    else
+        gh issue comment "${ITEM_NUMBER}" --repo "${REPO}" --body-file /tmp/security-comment.md
+    fi
+
+    echo "::error::Input validation failed: suspicious content detected. See comment on ${CONTEXT_TYPE} #${ITEM_NUMBER} for details."
+    exit 1
+fi
+
+echo "✅ Input validation passed — no suspicious content detected"