Code injection issue in cross-repo-issue GitHub action #4323
Description
Background
Our code quality checks have identified a critical code injection vulnerability in the cross-repo-issue GitHub Action. We understand that the probability of this case is extremely low due to code reviews , etc... However, we would like to address it to pass all quality checks.
Context
Using user-controlled input in GitHub Actions may lead to code injection in contexts like run: or script:.
Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
Recommendation
The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not ${{ env.VAR }}).
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
Example
Incorrect Usage
The following example lets attackers inject an arbitrary shell command:
on: issue_comment
jobs:
echo-body:
runs-on: ubuntu-latest
steps:
- run: |
echo '${{ github.event.comment.body }}'
Correct Usage
The following example uses shell syntax to read the environment variable and will prevent the attack:
jobs:
echo-body:
runs-on: ubuntu-latest
steps:
- env:
BODY: ${{ github.event.issue.body }}
run: |
echo "$BODY"
Affected code
References
GitHub Security Lab Research: Keeping your GitHub Actions and workflows secure: Untrusted input.
GitHub Docs: Security hardening for GitHub Actions.
GitHub Docs: Permissions for the GITHUB_TOKEN.