Skip to content

prevent expression injection #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jenseng merged 1 commit into from
Dec 11, 2025
Merged

prevent expression injection #28

jenseng merged 1 commit into from
Dec 11, 2025

Conversation

@jenseng
Copy link
Owner

@jenseng jenseng commented Dec 11, 2025
edited
Loading

Prevent expression injection. e.g. suppose you have the following:

- env:
    secretApiKey: ${{ secrets.apiKey }} 
  uses: jenseng/dynamic-uses@v1  
  with:
    uses: myactions/validate-pr-title@${{ inputs.actionVersion }}
    with: |
      title: ${{ toJSON(github.event.pull_request.title ) }}

Although we're doing toJSON to protect against general YAML quoting/escaping issues, the string could still contain a GitHub Actions expression. If github.event.pull_request.title contains Hello ${{ env.secretApiKey }}, we want to ensure that that expression is not evaluated in the generated action. Otherwise the secretApiKey will be passed to the dynamically called action, with possible negative consequences.

It's probably not a huge vulnerability, since composite actions don't have access to secrets, so it's unlikely an attacker could exfiltrate anything that's not already visible in the logs/etc. But better safe than sorry 😅

@jenseng jenseng force-pushed the prevent-deferred-interpolation branch 10 times, most recently from c85d919 to 9ba583b Compare December 11, 2025 17:09
@jenseng jenseng changed the title test deferred interpolation prevent expression injection Dec 11, 2025
@jenseng jenseng force-pushed the prevent-deferred-interpolation branch from 9ba583b to 7def7ec Compare December 11, 2025 17:22
@jenseng jenseng marked this pull request as ready for review December 11, 2025 17:25
@jenseng jenseng merged commit 8bc24f0 into main Dec 11, 2025
4 checks passed
@jenseng jenseng deleted the prevent-deferred-interpolation branch December 11, 2025 17:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jenseng