The run command will create a script from its input and run that script. The run command does not know the difference between commands and data. Therefore, when user input is put directly into the run command, there is a script injection vulnerability that can be exploited as we just did.
The way to mitigate this vulnerability is to put the user input into an environment variable, which is not used to generate the script that the run command executes.
Let's edit the Check issue title workflow to use an environment variable. Putting the user input into an environment variable, then using the environment variable in the script will mitigate the script injection vulnerability.
- Open the file .github/workflows/check-issue-title.yml
- Add an environment variable section to the
Check issue titlestep...
- name: Check issue title
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
...
- Use the new environment variable in the run command...
run: |
title="$ISSUE_TITLE"
...
- Test this out by creating a new issue as we did in exercise 1.
- Notice that the
ls -s $GITHUB_WORKSPACEcommand does not appear in the output as it did previously.
Next, let's edit the Check issue title action to use an environment variable also.
- Open the file .github/actions/check-issue-title-action/action.yml
- Add an environment variable section to the
Check issue titlestep...
- name: Check issue title
shell: bash
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
...
- Use the new environment variable in the run command...
run: |
if [[ "$ISSUE_TITLE" =~ ^octocat ]]; then
...