CircleCI $BASH_ENV Injection¶
CircleCI's $BASH_ENV
environment variable points to a file that is evaluated on each of the remaining steps of the job.
If untrusted or unescaped variables is appended to the file, it could allow code execution and compromise the workflow.
If possible, use single-quoted srtings and escape environment variables to ensure the value isn't evaluated as bash commands.
Examples¶
Insecure Example
steps:
- run: |
echo "RELEASE_NAME=${CIRCLE_BRANCH}" >> $BASH_ENV
- run: |
echo RELEASE_NAME=$CIRCLE_BRANCH >> $BASH_ENV
Secure Example
steps:
- run: |
echo 'RELEASE_NAME=${CIRCLE_BRANCH}' >> $BASH_ENV