[feature] Add new script injection input

[hugo-syn]

Hi,

Using the syntax ${{ env.FOO }} for accessing environment variable can cause severe security issues, it's recommended to use the regular shell syntax $FOO or $Env:FOO for PowerShell.

Here is a vulnerable workflow example:

name: Test

on:
  issues:
    types: [opened]

jobs:
  dummyjob:
    runs-on: ubuntu-latest
    steps:
      - name: Injection step
        run: |
          ls -asl
          echo "${{ env.BODY }}" > body.log
          cat body.log
          ls -asl
        env:
          BODY: ${{ github.event.issue.body }}

An attacker could open the following issue to get arbitrary code execution inside the GitHub runner:

Closing first double quote"; echo "running code here" > pwned.txt ; echo "closing last double quote

As a result the file pwned.txt is created:

Using this workflow would prevent the command injection vulnerability:

name: Test

on:
  issues:
    types: [opened]

jobs:
  dummyjob:
    runs-on: ubuntu-latest
    steps:
      - name: Injection step
        run: |
          ls -asl
          echo "$BODY" > body.log
          cat body.log
          ls -asl
        env:
          BODY: ${{ github.event.issue.body }}

I already made a PR for this #332, but you asked for an issue where we can discuss this.

If you don't want to raise an alert for using ${{ env.FOO }} could we at least allow a wildcard character like in the PR to allow peoples to add new untrusted inputs ?