Commit 8bc24f0
authored
prevent expression injection (#28)
Prevent expression injection. e.g. suppose you have the following:
```yaml
- env:
secretApiKey: ${{ secrets.apiKey }}
uses: jenseng/dynamic-uses@v1
with:
uses: myactions/validate-pr-title@${{ inputs.actionVersion }}
with: |
title: ${{ toJSON(github.event.pull_request.title ) }}
```
Although we're doing `toJSON` to protect against general YAML
quoting/escaping issues, the string could still contain a GitHub Actions
expression. If `github.event.pull_request.title` contains `Hello ${{
env.secretApiKey }}`, we want to ensure that that expression is not
evaluated in the generated action. Otherwise the `secretApiKey` will be
passed to the dynamically called action, with possible negative
consequences.
It's probably not a huge vulnerability, since composite actions don't
have access to `secrets`, so it's unlikely an attacker could exfiltrate
anything that's not already visible in the logs/etc. But better safe
than sorry 😅1 parent 1ff8da5 commit 8bc24f0
2 files changed
+15
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
57 | | - | |
| 57 | + | |
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
| |||
71 | 71 | | |
72 | 72 | | |
73 | 73 | | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
39 | | - | |
| 39 | + | |
40 | 40 | | |
41 | 41 | | |
42 | 42 | | |
| |||
0 commit comments