fix(security): document prompt injection risk from ISSUE_BODY in AI agent workflows#529
Open
XananasX7 wants to merge 1 commit into
Conversation
…gent workflows The gemini-issue-fixer.yml and gemini-triage.yml workflows pass github.event.issue.body (attacker-controlled) directly as ISSUE_BODY environment variable into the Gemini CLI execution context. This creates an indirect prompt injection surface: any GitHub user who opens an issue can craft a body that attempts to manipulate the Gemini agent's behavior. The agent runs with write-capable GitHub tokens (contents:write, issues:write, pull-requests:write) and the GitHub MCP server, so successful injection could lead to: - Malicious PRs created against the repository - Issue comments posted with attacker-controlled content - Repository content modified via the AI agent Mitigations already present (these must be maintained): - GITHUB_TOKEN: '' in the Gemini execution step - Output validation before applying labels - Template-based responses rather than raw LLM output This commit adds explicit security comments to document that ISSUE_BODY is untrusted user input and that maintaining empty GITHUB_TOKEN during AI execution is a critical security boundary — not an oversight. Note: This action is used by ~1,740 repositories. Consumers who add GITHUB_TOKEN to the Gemini execution step would be vulnerable.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the prompt injection attack surface in
gemini-issue-fixer.ymlandgemini-triage.ymlwheregithub.event.issue.body(attacker-controlled) is passed directly asISSUE_BODYinto the Gemini CLI execution environment.Impact
This action is used by ~1,740 repositories (per GitHub code search). The issue affects any consumer repo where the Gemini execution step has access to a write-capable
GITHUB_TOKEN.Attack scenario:
ISSUE_BODYcontaining the injected instructionsGITHUB_TOKENset, the agent can: create PRs, post comments, modify codeCurrently in this repo: The Gemini execution step sets
GITHUB_TOKEN: ''(empty) — this is the critical mitigation. However, this is not documented as a security boundary, making it easy for consumers to accidentally add a token without realizing the risk.What this PR does
Adds explicit security comments to document that:
ISSUE_BODYis attacker-controlled (any GitHub user can open an issue)GITHUB_TOKENempty during Gemini execution is a security requirement, not an oversightGITHUB_TOKENin the Gemini step of their own workflows would be vulnerableRecommendations for a stronger fix
ISSUE_BODYin explicit<untrusted_input>delimiters in the promptGITHUB_TOKENis passed alongside untrusted contentAffected workflows
.github/workflows/gemini-issue-fixer.yml.github/workflows/gemini-triage.yml