-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: github workflow vulnerable to script injection #2600
Conversation
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
@diogoteles08 , lgtm but can you take a look also. There might be other instances elsewhere where this might be useful. |
@PhongChuong we have this script in other hw repos. |
I did a similar change in google-cloud-java: googleapis/google-cloud-java#10881 |
Hi! I did realize this very same workflow was used in other repositories of this org. I grouped some and pointed them in this comment: googleapis/java-storage#2663 (comment) |
/gcbrun |
@diogoteles08 just testing a few commits to confirm if we can also inline an env var in the |
/gcbrun |
Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.
In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.
You can find more information about this on this github documentation or in this gitguardian blogpost.
Cheers!