fix: prevent script injection in PR workflow (#340)

thpierce · web-flow · commit 3d9ac9dc453b · 2026-01-22T16:15:41.000-08:00
Move github.event references to env vars and expand validation to check
all github.event.* usage in run steps

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -15,6 +15,10 @@ permissions:
   id-token: write
   contents: read
 
+env:
+  USER: ${{ github.event.pull_request.user.login }}
+  LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
+
 jobs:
   static-code-checks:
     runs-on: ubuntu-latest
@@ -27,18 +31,18 @@ jobs:
         if: always()
         run: |
           # Check if PR is from workflows bot or dependabot
-          if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
+          if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
             echo "Skipping check: PR from aws-application-signals-bot"
             exit 0
           fi
           
-          if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+          if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
             echo "Skipping check: PR from dependabot"
             exit 0
           fi
           
           # Check for skip changelog label
-          if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
+          if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
             echo "Skipping check: skip changelog label found"
             exit 0
           fi
@@ -71,7 +75,7 @@ jobs:
           
           echo "No versioned actions found in changed files"
 
-      - name: Check for github.event.inputs in run steps
+      - name: Check for github.event in run steps
         if: always()
         run: |
           # Get changed GitHub workflow/action files
@@ -81,20 +85,20 @@ jobs:
             VIOLATIONS=""
             for file in $CHANGED_FILES; do
               # Extract all 'run' step values excluding this validation step
-              RUN_STEPS=$(yq eval '.. | select(has("run") and has("name") and .name != "Check for github.event.inputs in run steps") | .run' "$file" 2>/dev/null || echo "")
-              if echo "$RUN_STEPS" | grep -q "github\.event\.inputs\."; then
-                VIOLATIONS="$VIOLATIONS$file: Contains github.event.inputs.* in run step\n"
+              RUN_STEPS=$(yq eval '.. | select(has("run") and has("name") and .name != "Check for github.event in run steps") | .run' "$file" 2>/dev/null || echo "")
+              if echo "$RUN_STEPS" | grep -q "github\.event\."; then
+                VIOLATIONS="$VIOLATIONS$file: Contains github.event.* in run step\n"
               fi
             done
             
             if [ -n "$VIOLATIONS" ]; then
-              echo -e "Found github.event.inputs.* usage in run steps. This can lead to script injection vulnerabilities:"
+              echo -e "Found github.event.* usage in run steps. This can lead to script injection vulnerabilities:"
               echo -e "$VIOLATIONS"
               exit 1
             fi
           fi
           
-          echo "No github.event.inputs usage found in run steps"
+          echo "No github.event usage found in run steps"
 
   build:
     runs-on: ubuntu-latest
