Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: checking for Untrusted input #19

Closed
azu opened this issue Jul 30, 2021 · 4 comments
Closed

Feature Request: checking for Untrusted input #19

azu opened this issue Jul 30, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@azu
Copy link

azu commented Jul 30, 2021
edited
Loading

Keeping your GitHub Actions and workflows secure: Untrusted input | GitHub Security Lab describe the Untrusted input on GitHub Actions.

In many case, using next values in run: or script: directry has vulnerbility.

github.event.issue.title
github.event.issue.body
github.event.pull_request.title
github.event.pull_request.body
github.event.comment.body
github.event.review.body
github.event.review_comment.body
github.event.pages.*.page_name
github.event.commits.*.message
github.event.head_commit.message
github.event.head_commit.author.email
github.event.head_commit.author.name
github.event.commits.*.author.email
github.event.commits.*.author.name
github.event.pull_request.head.ref
github.event.pull_request.head.label
github.event.pull_request.head.repo.default_branch
github.head_ref

For example, following action has a comand injection vulnerbility.

name: test
on: [pull_request]
permissions:
  contents: read
jobs:
  test:
    name: "Test"
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - run: echo "${{ github.event.pull_request.title }}"

If attacker create malcious PR title like ";cat .git/config|base64", GitHub Actions will execulte the title as command.

📝 actions/checkout set GITHUB_TOKEN in .git/config for checkouting repo.

We can mitigate the vulnerbility of action by usging env: as parameter.

name: test
on: [pull_request]
permissions:
  contents: read
jobs:
  test:
    name: "Test"
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - run: echo "${PR_TITLE}"
        env:
          PR_TITLE: "${{ github.event.pull_request.title }}"

If actionlint check the Untrusted input in run:, it make us safer.

Related

GitHub CodeQL has implemented related functions.
@rhysd rhysd added the enhancement New feature or request label Jul 30, 2021
@rhysd
Copy link
Owner

rhysd commented Jul 30, 2021
edited
Loading

Thank you for your suggestion. It makes sense to me and looks nice to have. Let me consider this on next minor version up.

@rhysd
Copy link
Owner

rhysd commented Aug 6, 2021

I've implemented this on untrusted-input branch. Remaining task is adding tests and documents. This feature is being included in next minor version up v1.6.0.

@rhysd rhysd closed this as completed in b55d30d Aug 7, 2021
@rhysd
Copy link
Owner

rhysd commented Aug 11, 2021

This feature was released at v1.6.0.

@azu
Copy link
Author

azu commented Aug 21, 2021

Thanks! Awesome!

@shogo82148 shogo82148 mentioned this issue Feb 11, 2022
Merged
@azu azu mentioned this issue Mar 2, 2022
Open
@skhomuti skhomuti mentioned this issue Sep 16, 2022
Open
@johnpangalos johnpangalos mentioned this issue Dec 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azu @rhysd