Skip to content

[plan] Fix template injection vulnerabilities in ci-doctor and close-old-discussions workflows #5208

@github-actions

Description

@github-actions

Objective

Fix High-severity template injection vulnerabilities in ci-doctor.lock.yml and close-old-discussions.lock.yml workflows.

Context

Security Risk: Template injection allows attackers to inject malicious code through issue titles, PR descriptions, or workflow inputs that gets executed with workflow permissions.

Affected Files:

  • .github/workflows/ci-doctor.lock.yml (Line 1097)
  • .github/workflows/close-old-discussions.lock.yml (Line 546)

Reference: Discussion #5202 - Static Analysis Report

Approach

Move all ${{ github.event.* }} expressions from direct shell interpolation to environment variables.

Pattern to Fix:

Before (Vulnerable):

- name: Process issue
  run: |
    echo "Title: ${{ github.event.issue.title }}"

After (Secure):

- name: Process issue
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
  run: |
    echo "Title: $ISSUE_TITLE"

Files to Modify

  1. .github/workflows/ci-doctor.md (source workflow)

    • Locate the step at line ~1097 in the compiled output
    • Move GitHub event expressions to env: section
  2. .github/workflows/close-old-discussions.md (source workflow)

    • Locate the environment variable setup at line ~546 in compiled output
    • Move untrusted expressions to env: section
  3. Recompile workflows:

    gh aw compile ci-doctor
    gh aw compile close-old-discussions

Acceptance Criteria

  • All ${{ github.event.* }} expressions moved to environment variables in both workflows
  • No direct interpolation of untrusted data in shell scripts
  • Workflows compile successfully with gh aw compile
  • Static analysis (zizmor) shows no template injection findings for these workflows
  • Tests pass after changes

Validation

Run static analysis to verify fix:

gh aw compile ci-doctor --zizmor
gh aw compile close-old-discussions --zizmor

Expected: No High-severity template injection findings.
Related to #5207

AI generated by Plan Command for discussion #5202

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions