Extend security checks with workflow_dispatch event untrusted inputs

[skhomuti]

Hey! actionlint is awesome tool!

We already have injections checks from #19, it is really untrusted user input from users not having any rights on the repository. I would like to extend these checks with inputs from the common developers (who doesn't have admin rights and access to the repo secrets). For example inputs from workflow_dispatch event:

on:
  workflow_dispatch:
    inputs:
      str:
        required: false
        type: string
        description: echo${IFS}hello;env

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: echo ${{ inputs.str }}
      - run: echo ${{ github.event.inputs.str }}

      - name: escape untrusted input
        env:
          STR: ${{ github.event.inputs.str }}
        run: echo $STR

Would great know your opinion for this feature :)

Upd: Probably inputs from workflow_call should also be checked

[hexnickk4997]

Is there any chance someone can look into this? It's actually possible to inject via workflow_call in a chain of calls

[rhysd]

workflow_dispatch event can be triggered by only maintainers. So its inputs can be set by only maintainers. Why are they 'untrusted'? Can you show some document (official document is the best) which describes workflow_dispatch inputs are insecure?

[rhysd]

It's actually possible to inject via workflow_call in a chain of calls

This is an issue for workflow_dispatch. Please make another issue for another topic.

[skhomuti]

according to this table https://github.com/lidofinance/workflow-playground/actions run workflows can peoples with Write and higher permissions, not only maintainers. I'm not sure there's official document that describes these inputs are insecure, probably I'll try to find some discussions in the github support