Describe the bug
Inputs certificates and warning_days are expanded directly inside the bash run block:
CERTIFICATES='${{ inputs.certificates }}'
WARNING_DAYS="${{ inputs.warning_days }}"A crafted value containing single quotes or shell metacharacters can break out of the quoted string and inject arbitrary shell commands. This is a known GitHub Actions script-injection vector.
Steps to Reproduce
- Call the action with:
certificates: "' ; malicious-command #"
- The injected command executes on the runner.
Expected state
Inputs must be passed via env: variables and read from the environment in bash — never interpolated directly:
env:
INPUT_CERTS: ${{ inputs.certificates }}
INPUT_WARN_DAYS: ${{ inputs.warning_days }}Then in bash: CERTIFICATES="${INPUT_CERTS}"
Impact / Severity
High
Runner OS
Both
Attachments / Evidence
No attachments.
Related / References
None.
Describe the bug
Inputs
certificatesandwarning_daysare expanded directly inside the bash run block:A crafted value containing single quotes or shell metacharacters can break out of the quoted string and inject arbitrary shell commands. This is a known GitHub Actions script-injection vector.
Steps to Reproduce
certificates: "' ; malicious-command #"Expected state
Inputs must be passed via
env:variables and read from the environment in bash — never interpolated directly:Then in bash:
CERTIFICATES="${INPUT_CERTS}"Impact / Severity
High
Runner OS
Both
Attachments / Evidence
No attachments.
Related / References
None.