Skip to content

Possible run-shell-injection #180

Open
@jsf9k

Description

@jsf9k

Hi Team, one comment, possible run-shell-injection severity high at .github/workflows/build.yml line 187. Using variable interpolation with GitHub context data in a run: step could allow an attacker to inject their own code into the runner. GitHub context data can have user input and should be treated as untrusted. Alternatively, you can use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Also, be sure to use double-quotes with the environment variable, like: "$ENVVAR".

Originally posted by @dv4harr10 in cisagov/client-cert-update#53 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions