Skip to content

support yaml mapping strings, reduce injection risks #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jenseng merged 1 commit into from
Dec 10, 2025
Merged

support yaml mapping strings, reduce injection risks #25

jenseng merged 1 commit into from
Dec 10, 2025

Conversation

@jenseng
Copy link
Owner

@jenseng jenseng commented Dec 10, 2025
edited
Loading

Simplify usage and improve security

1. with as a YAML mapping string

Now you can specify the with input as a YAML mapping string, e.g.

- uses: jenseng/dynamic-uses@v1
  with:
    uses: actions/setup-node@${{ inputs.actionVersion }}
    with: |
      node-version: 18
      cache: npm

Note that JSON still works, since it's a subset of YAML.

2. Reduce injection risks

As part of implementing this, we now reduce the risks around YAML injection when with contains untrusted expressions. E.g. it's no longer possible to inject more steps to the action, since all lines are fully indented.

That said, additional inputs could still be injected to the dynamically called action. There's no way for dynamic-uses to prevent this, since from its perspective the with input is an opaque string of inputs that are presumably trustworthy. So the overall guidance is unchanged in that every expression used in with should be made YAML-safe via toJSON

@jenseng jenseng force-pushed the allow-yaml-with branch 5 times, most recently from 935b89c to 6bb8974 Compare December 10, 2025 17:44
@jenseng jenseng mentioned this pull request Dec 10, 2025
Closed
@jenseng jenseng marked this pull request as ready for review December 10, 2025 19:07
@jenseng jenseng changed the title support yaml mapping strings and document it as the default support yaml mapping strings, reduce injection risks Dec 10, 2025
@jenseng jenseng merged commit bc8e33f into main Dec 10, 2025
3 checks passed
@jenseng jenseng deleted the allow-yaml-with branch December 10, 2025 19:45
jsoref
jsoref reviewed Dec 17, 2025
View reviewed changes
Copy link

@jsoref jsoref left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clever action. I've done things like this but hadn't actually gotten around to making a truly generic version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jsoref jsoref jsoref left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jenseng @jsoref