GitHub Script Injection¶
Using variable interpolation ${{...}}
with github
context data in a actions/github-script
's script:
step could allow an attacker to inject their own code into the runner.
Examples¶
Insecure Example
steps:
- name: GitHub Script
uses: actions/github-script@v6
with:
script: |
console.log("Received a PR: ${{ github.event.pull_request.title }}")
Secure Example
The context object can be used in the script to read metadata about the workflow run:
steps:
- name: GitHub Script
uses: actions/github-script@v6
with:
script: |
console.log("Received a PR: " + context.payload.pull_request.title)
Alternatively, variables can also be placed in an environment variable and safely accessed in the script using process.env
:
steps:
- name: GitHub Script
uses: actions/github-script@v6
env:
TITLE: ${{ github.event.pull_request.title }}
with:
script: |
const { TITLE } = process.env;
console.log("Received a PR: " + TITLE)