Skip to content
This repository was archived by the owner on Jun 1, 2026. It is now read-only.

security: CWE-77: Fix expression injection in action inputs — VC-53691#2

Open
torresashjiancyber wants to merge 1 commit into
Venafi:mainfrom
torresashjiancyber:VC-53691-logos-fix-c
Open

security: CWE-77: Fix expression injection in action inputs — VC-53691#2
torresashjiancyber wants to merge 1 commit into
Venafi:mainfrom
torresashjiancyber:VC-53691-logos-fix-c

Conversation

@torresashjiancyber

Copy link
Copy Markdown

Summary

Fixes CWE-77 expression injection vulnerability by routing action inputs through environment variables instead of direct string interpolation into shell scripts.

Finding

The composite action interpolated ${{ inputs.release }}, ${{ inputs.install-dir }}, and ${{ inputs.use-sudo }} directly into run: shell script bodies without routing them through env: and quoting. This allowed shell metacharacters in those inputs to be executed as code on the consumer's runner.

CVSS: 9.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Three injection sinks were identified:

  1. mkdir -p ${{ inputs.install-dir }} (line 45) - executed before any validation
  2. if [[ ${{ inputs.release }} =~ $semver ]] (line 111) - command substitution in validator
  3. if [[ "${{ inputs.use-sudo }}" == "true" ]] (line 106) - command substitution in comparison

Remediation

  1. Added env: block to the main bash step declaring RELEASE, INSTALL_DIR, and USE_SUDO
  2. Replaced all ${{ inputs.* }} references in script bodies with quoted shell variables
  3. Moved release validation before mkdir/pushd sinks to fail fast on invalid input
  4. Added env: blocks to both PATH-export steps (Linux/macOS and Windows)

All three PoC attack vectors are now blocked - inputs are passed as environment variable values rather than interpolated into shell source code.

Verification

GitHub Action projects typically have no local build/test suite. The fix has been validated through:

  • Code review confirming all ${{ inputs.* }} expressions removed from shell contexts
  • Static analysis confirming proper quoting of environment variables
  • Validation order corrected (semver check before filesystem operations)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant