Skip to content

Harden ADR workflow against issue-title command injection#2274

Open
arpitjain099 wants to merge 1 commit into
GSA:mainfrom
arpitjain099:chore/harden-adr-workflow
Open

Harden ADR workflow against issue-title command injection#2274
arpitjain099 wants to merge 1 commit into
GSA:mainfrom
arpitjain099:chore/harden-adr-workflow

Conversation

@arpitjain099

Copy link
Copy Markdown

Hi folks. I work on software supply chain security and have been reviewing GitHub Actions workflows across federal and public-sector repositories for untrusted-input handling. This is a small hardening change to adr-accepted.yml.

The workflow triggers on issues (closed) and uses github.event.issue.title inside two run: steps: the printf that builds the slug, and the git commit -m line. Actions expands ${{ ... }} into the script body before bash executes it, so a closed issue whose title contains backticks or $(...) would have that text run as a shell command. The job checks out the repo with SSH_PRIVATE_KEY and auto-merges the generated PR, so the title is evaluated in a context that can write to the repository.

The fix moves the title into an ISSUE_TITLE environment variable and references "$ISSUE_TITLE" in the scripts. Environment values are not re-parsed by the shell, so the title is treated strictly as data. This is the approach GitHub recommends for the actions/expression-injection weakness. No behavior changes for normal ADR titles.

I left the write-file-action inputs alone since those are action inputs written into a markdown file that a human reviews before merge, not shell. Happy to adjust naming or split this further if you prefer.

The "ADR accepted" workflow runs on the `issues` (closed) event and
interpolates `github.event.issue.title` directly into `run:` shell scripts
(the `printf` slug step and the `git commit -m` step). Because GitHub Actions
substitutes `${{ ... }}` into the script text before the shell runs, an issue
title containing shell metacharacters is evaluated by bash. The job checks out
the repo with an SSH deploy key and auto-merges the resulting PR, so the value
runs in a context that has write access.

This passes the title through an `ISSUE_TITLE` environment variable and
references it as `"$ISSUE_TITLE"`, which the shell treats as data rather than
re-evaluating. This is the pattern GitHub documents for untrusted run-step
expressions (actions/expression-injection).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant