actionlint icon indicating copy to clipboard operation
actionlint copied to clipboard

Published 20 hours ago verified publisher icon rhysd

Feature Request: Warn on user ${{ input }} in steps[*].run

Open xsc27 opened this issue 2 years ago • 2 comments

I would like to be warned if a step is using user input inside the "run" part of a step to mitigate the risk of script injections.

Inputs includes:

  • inputs.*
  • env.* (why not just use the environment variable)
  • github.actor
  • github.event.[issue | pull_request].[body | default_branch | email | head_ref | label | message | name | page_name | ref | title]
  • github.event.inputs.*
  • github.head_ref (could be branch name)
  • github.ref (can be branch and tag names)
  • github.ref_name

(I may be missing some that should be on the list.)

xsc27 avatar Dec 21 '21 21:12 xsc27

Here is a better list of what to filter for under github.event, https://securitylab.github.com/research/github-actions-untrusted-input/

xsc27 avatar Dec 22 '21 20:12 xsc27

Previously, I've requested same thing https://github.com/rhysd/actionlint/issues/19 and it is implemented.

  • https://github.com/rhysd/actionlint/releases/tag/v1.6.0

If you know missing parts, please list up these. It may help author to implement it.

azu avatar Mar 02 '22 05:03 azu