CircleCI Shell Injection¶
CircleCI pipelines variables are evaluted when the workflow is compiled. As such, if a pipeline variable is used in a command, it could be unintentionally evaluted as shell commands and compromise the workflow execution.
steps: - run: name: "pipeline variable injection" command: | echo "<< pipeline.git.branch >>"
By placing the pipeline variable in an environment variable, it ensures the content of the variable cannot be evaluated as shell commands.
steps: - run: name: "intermediate env variable" environment: BRANCH: << pipeline.git.branch >> command: | echo "$BRANCH"