GitHub Action with shell injection¶
Checks for GitHub Action workflows where untrusted attributes controllable by the Pull Request author could like to code execution.
Examples¶
Insecure Example
on:
pull_request:
jobs:
docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Show issue title
run: |
echo "${{ github.event.issue.title }}" # This is subject to shell injection
Secure Example
Avoid using untrusted, arbitrarily user-controllable attributes directly. Especially not in shell scripts.