CircleCI Shell Injection¶
CircleCI pipelines variables are evaluted when the workflow is compiled. As such, if a pipeline variable is used in a command, it could be unintentionally evaluted as shell commands and compromise the workflow execution.
Examples¶
Insecure Example
steps:
- run:
name: "pipeline variable injection"
command: |
echo "<< pipeline.git.branch >>"
Secure Example
By placing the pipeline variable in an environment variable, it ensures the content of the variable cannot be evaluated as shell commands.
steps:
- run:
name: "intermediate env variable"
environment:
BRANCH: << pipeline.git.branch >>
command: |
echo "$BRANCH"