-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: github workflow vulnerable to script injection #2663
Conversation
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
@diegomarquezp @blakeli0 Can you address the issue outlined here from @diogoteles08? |
Hey! Just realized that this workflow is also used in other repos from this same org -- I've already created some PRs to them before realizing they could have the same contributors, sorry ><). Namely:
That said, I'll wait for your input on how we should follow here. Let me know if I should raise similar PRs on the other repos, or if there is any specific source that I should change and then the change can be mirrored to the others. |
Thanks @diogoteles08 for reporting this issue! Yes it is used in a few other repos as well, our team will handle all the necessary changes. If you need a way to track it, can you create an issue in our component(173303) internally? Separately, only contributors with write access can create branches, which are very selective, so this issue should not have any impact at this moment. |
@diogoteles08, letting you know here as well that I pushed 1 or 2 commits to these PRs (thanks!) to also inline the |
paths: | ||
- 'generation_config.yaml' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you put these lines back? They were added in 34e99b1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restored
Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.
In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.
You can find more information about this on this github documentation or in this gitguardian blogpost.
Cheers!