-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Hardening for Environment Variables #79
Conversation
Thanks for the PR. Can you please elaborate on a scenario where this would be an issue? |
Yes! In this scenario, a user has set up a workflow and is using environment variables to store arbitrary data. For example: echo "DATA=$(cat path/to/arbitrary/file.txt)" >> $GITHUB_ENV The user might assume their runner is safe because they are not using a runtime (e.g., bash or python) elsewhere (even if they are using this action). However, this action uses |
Hi @RedYetiDev Although I agree that the introduction of environment variables is a potential attack vector in certain cases, hardening this way looks somewhat inefficient. You set the |
Okay, what do you recommend? You can replace the binaries with /usr/bin/... if I recall |
Initially this Action was created as a Docker action, and has additional protection against those injections by design. But later it was converted to the composite action to make it easier to run it on Windows runners (including self-hosted ones), so hardcoding the paths as |
Okay, well I'm not quite sure what's the best approach. I think that users should be aware of the risk, or it should be reduced (to the best of the actions ability) |
I believe that:
|
Okay, so it's up to the implementations and how people use this. |
Very nice and educational discussion 🚀 |
This PR prevents a workflow run executing arbitrary code using environment variables.
Caution
This is a security patch.
I do not see this as an immediate threat, as the workflow that sets the variables would also need to be vulnerable.