Harden validation-run against branch-name script injection#443
Open
arpitjain099 wants to merge 1 commit into
Open
Harden validation-run against branch-name script injection#443arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
The validation steps build ROBO_VALIDATE_* arguments by interpolating
github.head_ref, github.base_ref, and the extracted branch name (which
itself comes from the head ref) straight into the run script. Because
${{ }} is expanded into the script before bash executes it, a pull
request from a branch with a specially crafted name could run commands
in the job.
Bind those values to step-level env entries and pass them as quoted
shell variables. The robo validate invocation is unchanged.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira ticket
External contribution, no DIGITAL ticket. Happy to file one if the team prefers to track it.
Purpose
.github/workflows/validation-run.ymlpassesgithub.head_ref,github.base_ref, and the extracted branch output into the RoboValidate steps by interpolating${{ }}directly into therun:script, for example:The runner substitutes those expressions into the shell command before bash runs, and the branch name on a pull request is contributor-controlled. A branch named with shell metacharacters could therefore execute arbitrary commands in the validation job. The
extract_branchoutput is derived from the head ref, so it carries the same risk.This change binds each of those values to step
env:entries and references them as quoted shell variables ("$CURRENT_BRANCH"). Environment variables are not re-parsed by the shell, which closes the injection path. This is the mitigation in GitHub's security-hardening guidance: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injectionsThe same pattern is what CodeQL (
actions/expression-injection) and zizmor report on these lines.Deployment and testing
No behavior change. The robo
validate:allinvocations receive the sameROBO_VALIDATE_*values as before, just sourced from the step environment instead of inlined into the script. YAML parses cleanly.Checklist for the Developer