Pass github.head_ref through env in hotfix-generate workflow#8601
Open
arpitjain099 wants to merge 1 commit into
Open
Pass github.head_ref through env in hotfix-generate workflow#8601arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
…jection
The "Commit changes via API" step interpolates ${{ github.head_ref }}
directly into the gh api command line (the ref query parameter and the
-f branch value). Actions expands ${{ ... }} into the script before bash
runs, so a branch name containing shell metacharacters would be evaluated.
This step runs after a GitHub App token is minted, so the value executes in
a context with write access.
The job is gated to same-repo PRs (head.repo.full_name == github.repository),
which keeps fork PRs out, so this is defense-in-depth against a compromised or
malicious push-access account rather than an anonymous external path. The fix
moves the branch name into a HEAD_REF env var and references "$HEAD_REF", which
the shell does not re-evaluate. No behavior change for normal branch names.
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I research software supply chain security and have been going through GitHub Actions workflows for places where untrusted input reaches a shell. Small hardening change to
hotfix-generate.yml.The "Commit changes via API" step puts
${{ github.head_ref }}straight into thegh apicommand line: once as the?ref=query parameter and once as the-f branch=value. Because Actions expands${{ }}into the script text before bash executes it, a branch name with backticks or$(...)would be evaluated as a command. That step runs after the GitHub App token is generated, so it executes with write access.To be clear about reach: the job's
if:requiresgithub.event.pull_request.head.repo.full_name == github.repository, so fork PRs are already excluded. This is therefore defense-in-depth against a push-access account that is malicious or compromised, not an anonymous external vector. I still think it is worth closing because the payload lives in the branch name, which is not something a diff review surfaces.The change moves the value into a
HEAD_REFenv var and uses"$HEAD_REF"; environment values are not re-parsed by the shell. Behavior is unchanged for ordinary branch names. Theref:input on the checkout step is an action input rather than a shell expansion, so I left it alone.