Skip to content

Add compile-time validation for dangerous property names in expressions #14829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 6 commits into from
Feb 10, 2026
Merged

Add compile-time validation for dangerous property names in expressions #14829

pelikhan merged 6 commits into from
Feb 10, 2026
+374 −0

Conversation

Copy link
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

Add compile-time validation for dangerous property names in expressions

Extends the runtime protection from #14826 by blocking dangerous JavaScript property names at compile time. Prevents prototype pollution attacks via expressions like ${{ github.constructor }} or ${{ inputs.__proto__ }}.

Changes

  • New constant: DangerousPropertyNames in pkg/constants/constants.go lists 13 blocked property names (constructor, proto, prototype, toString, valueOf, etc.)
  • New validator: validateExpressionForDangerousProps() in pkg/workflow/expression_validation.go parses dot/bracket notation and checks property names against the blocklist
  • Integration: Validation runs early in validateSingleExpression() before other checks
  • Tests: 35 test cases covering all dangerous properties and safe expressions

Example

Compilation now fails with a clear error:

$ gh aw compile workflow.md
✗ error: Validation failed for field 'expressions'
Reason: expression 'github.constructor' contains the dangerous property name 'constructor'
Suggestion: Remove the dangerous property 'constructor' from the expression. 
Property names like constructor, __proto__, prototype, and similar JavaScript built-ins 
are blocked to prevent prototype pollution attacks.

Safe expressions continue to work:

${{ github.actor }}              ✓
${{ github.event.issue.number }} ✓
${{ needs.job.outputs.result }}  ✓

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 10, 2026 19:49
@pelikhan
Add dangerous property validation to expression compiler
62aaa65 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Format code with make fmt
2be6221 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add compiler validation for forbidden field names in expressions Add compile-time validation for dangerous property names in expressions Feb 10, 2026
Copilot AI requested a review from pelikhan February 10, 2026 19:57
@pelikhan pelikhan marked this pull request as ready for review February 10, 2026 19:58
Copilot AI review requested due to automatic review settings February 10, 2026 19:58
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds compile-time validation to block dangerous JavaScript property names in GitHub Actions expressions (e.g., constructor, __proto__) to prevent prototype-pollution style access patterns, aligning compile-time checks with existing runtime protections.

Changes:

  • Introduces a DangerousPropertyNames blocklist constant.
  • Adds validateExpressionForDangerousProps() and runs it early during single-expression validation.
  • Expands expression safety tests to cover blocked properties and end-to-end markdown validation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
pkg/workflow/expression_validation.go Adds dangerous-property detection and integrates it into expression validation flow.
pkg/constants/constants.go Defines the dangerous property name blocklist used by the validator.
pkg/workflow/expression_safety_test.go Adds unit + integration-style tests for dangerous property validation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pelikhan and others added 2 commits February 10, 2026 12:07
@pelikhan
Copy link
Contributor

pelikhan commented Feb 10, 2026

@copilot revert c10cefe

@pelikhan
Revert "Update pkg/workflow/expression_validation.go"
117e9e8 
This reverts commit c10cefe.

The commit introduced undefined regex variables (dangerousPropSplitRe, numericIndexRe)
that were never added to the var block, breaking compilation.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 10, 2026

@copilot revert c10cefe

Reverted in 117e9e8. The commit was using undefined regex variables (dangerousPropSplitRe, numericIndexRe) that were never added to the var block.

@pelikhan pelikhan merged commit 59d2fc8 into main Feb 10, 2026
85 checks passed
@pelikhan pelikhan deleted the copilot/add-compiler-validation-forbidden-fields branch February 10, 2026 20:22
@github-actions github-actions bot mentioned this pull request Feb 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan