Skip to content

GH Actions: always use env for handling user input #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jrfnl merged 1 commit into from
Dec 29, 2025
Merged

GH Actions: always use env for handling user input #13

jrfnl merged 1 commit into from
Dec 29, 2025

Conversation

@jrfnl
Copy link
Contributor

@jrfnl jrfnl commented Dec 29, 2025

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

Ref:

@jrfnl
GH Actions: always use env for handling user input
d4e8959 
> GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.
>
> Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title).

Ref:
* https://securitylab.github.com/resources/github-actions-untrusted-input/
* https://docs.zizmor.sh/audits/#template-injection
@jrfnl jrfnl added this to the 1.0.0 milestone Dec 29, 2025
@jrfnl jrfnl merged commit 5ee9b68 into main Dec 29, 2025
3 checks passed
@jrfnl
Copy link
Contributor Author

jrfnl commented Dec 29, 2025

I've reverted this PR as it's not working as intended - it ended up creating a ${DIRTY_LABEL} label in the repo, which was not the intention.

@jrfnl jrfnl deleted the JRF/ghactions-actionlint-improve-security branch December 29, 2025 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

1.0.0

Development

Successfully merging this pull request may close these issues.

1 participant

@jrfnl