Skip to content

CircleCI Shell Injection

CircleCI pipelines variables are evaluted when the workflow is compiled. As such, if a pipeline variable is used in a command, it could be unintentionally evaluted as shell commands and compromise the workflow execution.

Examples

Insecure Example

steps:
- run:
    name: "pipeline variable injection"
    command: |
      echo "<< pipeline.git.branch >>"

Secure Example

By placing the pipeline variable in an environment variable, it ensures the content of the variable cannot be evaluated as shell commands.

steps:
- run:
    name: "intermediate env variable"
    environment:
      BRANCH: << pipeline.git.branch >>
    command: |
      echo "$BRANCH"