What to do about runner.temp in template injection check?

[funnelfiasco]

In #128, I proposed to exclude runner.temp in the template injection check because it's a value provided by GitHub and thus not exploitable the way, say, a branch name could be.

@woodruffw said:

I think in practice it can't be attacker controlled, but I'm having trouble proving that (and in particular, if it can contain spaces anything else special, it can potentially be an injection source).

I also am having trouble proving it. I can't find in GitHub's docs a description of how it's defined, but it appears to be a predictable directory with a UUID (for example /home/runner/work/_temp/bf7c360e-7ad0-4c65-b10f-ce00c3516531). Even if it does contain spaces or the like, it's not clear to me how it could be used as an attack vector.

But this may be a failure in imagination on my part, and I agree with the principle of not excluding things we aren't very sure about, so I'm starting this discussion to see what I may have missed.

[woodruffw]

Thanks! I appreciate you starting the discussion.

I'll do some more research tonight as well, but I agree currently with your appraisal that it seems like runner.temp can't be attacker controlled in any meaningful way.

I think the only case where this might not be true is a fully attacker controlled/compromised runner, in which case all contexts are potentially injectable and the entire audit is moot. So that's not worth considering 🙂

[funnelfiasco]

If you could figure out how to write an audit rule for "this will be run on an adversarial GitHub runner", you would get a lot of money 😆