You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
+7-19Lines changed: 7 additions & 19 deletions
Original file line number
Diff line number
Diff line change
@@ -2,59 +2,47 @@
2
2
"-//Semmle//qhelp//EN"
3
3
"qhelp.dtd">
4
4
<qhelp>
5
-
6
5
<overview>
7
-
8
6
<p>
9
-
10
7
Using user-controlled input in GitHub Actions may lead to
11
8
code injection in contexts like <i>run:</i> or <i>script:</i>.
12
-
13
9
</p>
14
-
15
10
<p>
16
11
Code injection in GitHub actions may allow an attacker to
17
12
exfiltrate the temporary GitHub repository authorization token.
18
-
The token has write access to the repository, and thus an attacker
19
-
can use it to modify the repository.
13
+
The token might have write access to the repository, and thus an attacker
14
+
might be able to use it to modify the repository.
20
15
</p>
21
-
22
16
</overview>
23
17
24
18
<recommendation>
25
-
26
19
<p>
27
20
The best practice to avoid code injection vulnerabilities
28
21
in GitHub workflows is to set the untrusted input value of the expression
29
22
to an intermediate environment variable.
30
23
</p>
31
-
24
+
<p>
25
+
It is also recommended to limit the permissions of any tokens used
26
+
by a workflow such as the the GITHUB_TOKEN.
27
+
</p>
32
28
</recommendation>
33
29
34
30
<example>
35
-
36
31
<p>
37
-
38
32
The following example lets a user inject an arbitrary shell command:
39
-
40
33
</p>
41
-
42
34
<samplesrc="examples/comment_issue_bad.yml" />
43
35
44
36
<p>
45
-
46
37
The following example uses shell syntax to read
47
38
the environment variable and will prevent the attack:
48
-
49
39
</p>
50
-
51
40
<samplesrc="examples/comment_issue_good.yml" />
52
-
53
41
</example>
54
42
55
43
<references>
56
44
<li>GitHub Security Lab Research: <ahref="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
57
45
<li>GitHub Docs: <ahref="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a>.</li>
46
+
<li>GitHub Docs: <ahref="https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token">Permissions for the GITHUB_TOKEN</a>.</li>
0 commit comments