CodeQL documentation

Expression injection in Actions

ID: js/actions/command-injection
Kind: problem
Severity: warning
Precision: high
Tags:
   - actions
   - security
   - external/cwe/cwe-094
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using user-controlled input in GitHub Actions may lead to code injection in contexts like run: or script:.

Code injection in GitHub Actions may allow an attacker to exfiltrate the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.

Recommendation

The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable.

It is also recommended to limit the permissions of any tokens used by a workflow such as the the GITHUB_TOKEN.

Example

The following example lets a user inject an arbitrary shell command:

on: issue_comment

jobs:
  echo-body:
    runs-on: ubuntu-latest
    steps:
    - run: |
        echo '${{ github.event.comment.body }}'

The following example uses shell syntax to read the environment variable and will prevent the attack:

on: issue_comment

jobs:
  echo-body:
    runs-on: ubuntu-latest
    steps:
    - env:
        BODY: ${{ github.event.issue.body }}
      run: |
        echo '$BODY'

References

  • © GitHub, Inc.
  • Terms
  • Privacy