Skip to content

GitHub Script Injection

Using variable interpolation ${{...}} with github context data in a actions/github-script's script: step could allow an attacker to inject their own code into the runner.

Examples

Insecure Example

steps:
- name: GitHub Script
  uses: actions/github-script@v6
  with:
    script: |
      console.log("Received a PR: ${{ github.event.pull_request.title }}")

Secure Example

The context object can be used in the script to read metadata about the workflow run:

steps:
- name: GitHub Script
  uses: actions/github-script@v6
  with:
    script: |
      console.log("Received a PR: " + context.payload.pull_request.title)

Alternatively, variables can also be placed in an environment variable and safely accessed in the script using process.env: 

steps:
- name: GitHub Script
  uses: actions/github-script@v6
  env:
    TITLE: ${{ github.event.pull_request.title }}
  with:
    script: |
      const { TITLE } = process.env;
      console.log("Received a PR: " + TITLE)