Skip to content

fix: prevent CMD_EXEC injection via env indirection for user-controll…#738

Open
nbuckwalt wants to merge 1 commit intoEnricoMi:masterfrom
Contrast-Security-OSS:contrast/fix-cmd-exec-inputs
Open

fix: prevent CMD_EXEC injection via env indirection for user-controll…#738
nbuckwalt wants to merge 1 commit intoEnricoMi:masterfrom
Contrast-Security-OSS:contrast/fix-cmd-exec-inputs

Conversation

@nbuckwalt
Copy link
Copy Markdown

@nbuckwalt nbuckwalt commented Mar 26, 2026

…ed inputs

Replace direct ${{ inputs.* }} interpolation in run: blocks with env: indirection. Assign each input to a step-level env var and reference $ENV_VAR in shell commands.

Files changed:

  • docker/action.yml: docker_platform, docker_registry, docker_image, docker_tag
  • misc/action/json-output/action.yml: inputs.json (heredoc → echo "$JSON")
  • misc/action/find-workflows/action.yml: inputs.url, inputs.query
  • misc/action/package-downloads/action.yml: inputs.url, inputs.repo, inputs.package

Based on SHA c950f6f (v2.23.0). See upstream #737.

@nbuckwalt @claude
fix: prevent CMD_EXEC injection via env indirection for user-controll…
acb6755 
…ed inputs

Replace direct ${{ inputs.* }} interpolation in run: blocks with
env: indirection. Assign each input to a step-level env var and
reference $ENV_VAR in shell commands.

Files changed:
- docker/action.yml: docker_platform, docker_registry, docker_image, docker_tag
- misc/action/json-output/action.yml: inputs.json (heredoc → echo "$JSON")
- misc/action/find-workflows/action.yml: inputs.url, inputs.query
- misc/action/package-downloads/action.yml: inputs.url, inputs.repo, inputs.package

Based on SHA c950f6f (v2.23.0).
See upstream EnricoMi#737.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nbuckwalt nbuckwalt force-pushed the contrast/fix-cmd-exec-inputs branch from f9c7bcd to acb6755 Compare March 26, 2026 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbuckwalt