CircleCI $BASH_ENV Injection¶

CircleCI's $BASH_ENV environment variable points to a file that is evaluated on each of the remaining steps of the job. If untrusted or unescaped variables is appended to the file, it could allow code execution and compromise the workflow.

If possible, use single-quoted srtings and escape environment variables to ensure the value isn't evaluated as bash commands.

Examples¶

Insecure Example

steps:
- run: |
    echo "RELEASE_NAME=${CIRCLE_BRANCH}" >> $BASH_ENV

- run: |
    echo RELEASE_NAME=$CIRCLE_BRANCH >> $BASH_ENV

Secure Example

steps:
- run: |
    echo 'RELEASE_NAME=${CIRCLE_BRANCH}' >> $BASH_ENV

More information¶

CircleCI Documentation - Introduction to environment variables