From 113af457d9bab2e4a59b1f2c3bd8a5ae945c2a3a Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Mon, 29 Jun 2026 11:18:23 -0500 Subject: [PATCH] fix(security): prevent Actions script injection in workflows Untrusted ${{ }} expressions (issue titles, PR head refs, reusable-workflow inputs) were interpolated directly into run: shell bodies, allowing command injection. Each is now passed through an env: block and referenced as a shell variable in the script (env vars are not subject to ${{ }} expansion). Files: - ci-issue-reporter.yml inputs.gate/details/severity/workflow - issue-branch.yml github.event.issue.title - branch-cleanup.yml github.event.pull_request.head.ref - pr-check.yml github.head_ref / github.base_ref - auto-release.yml github.event.pull_request.head.ref (x2) Propagates to all template consumers via the workflow sync. Refs MokoConsulting/Template-Joomla#35. Authored-by: Moko Consulting --- .mokogitea/workflows/auto-release.yml | 7 +++++-- .mokogitea/workflows/branch-cleanup.yml | 3 ++- .mokogitea/workflows/ci-issue-reporter.yml | 12 ++++++++---- .mokogitea/workflows/issue-branch.yml | 3 ++- .mokogitea/workflows/pr-check.yml | 5 +++-- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/.mokogitea/workflows/auto-release.yml b/.mokogitea/workflows/auto-release.yml index 4489ae0..fa6eb64 100644 --- a/.mokogitea/workflows/auto-release.yml +++ b/.mokogitea/workflows/auto-release.yml @@ -99,9 +99,11 @@ jobs: fi - name: Rename branch to rc + env: + HEAD_REF: ${{ github.event.pull_request.head.ref || 'dev' }} run: | php ${MOKO_CLI}/branch_rename.php \ - --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \ + --from "$HEAD_REF" --to rc \ --token "${{ secrets.MOKOGITEA_TOKEN }}" \ --api-base "${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \ --pr "${{ github.event.pull_request.number }}" @@ -225,10 +227,11 @@ jobs: - name: "Determine version bump level" id: bump + env: + HEAD_REF: ${{ github.event.pull_request.head.ref || 'dev' }} run: | # Fix/patch branches: version was already bumped by pre-release, just strip suffix # Feature/dev branches: bump minor for the new stable release - HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}" case "$HEAD_REF" in fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;; *) BUMP="minor" ;; diff --git a/.mokogitea/workflows/branch-cleanup.yml b/.mokogitea/workflows/branch-cleanup.yml index 9d884e7..4ea4709 100644 --- a/.mokogitea/workflows/branch-cleanup.yml +++ b/.mokogitea/workflows/branch-cleanup.yml @@ -30,8 +30,9 @@ jobs: steps: - name: Delete source branch + env: + BRANCH: ${{ github.event.pull_request.head.ref }} run: | - BRANCH="${{ github.event.pull_request.head.ref }}" API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches" ENCODED=$(php -r "echo rawurlencode('${BRANCH}');") diff --git a/.mokogitea/workflows/ci-issue-reporter.yml b/.mokogitea/workflows/ci-issue-reporter.yml index 7ad19c8..873e3e2 100644 --- a/.mokogitea/workflows/ci-issue-reporter.yml +++ b/.mokogitea/workflows/ci-issue-reporter.yml @@ -59,10 +59,14 @@ jobs: env: MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }} MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }} + GATE: ${{ inputs.gate }} + DETAILS: ${{ inputs.details }} + SEVERITY: ${{ inputs.severity }} + WORKFLOW: ${{ inputs.workflow }} run: | chmod +x /tmp/mokocli/cli/ci_issue_reporter.sh /tmp/mokocli/cli/ci_issue_reporter.sh \ - --gate "${{ inputs.gate }}" \ - --details "${{ inputs.details }}" \ - --severity "${{ inputs.severity }}" \ - --workflow "${{ inputs.workflow }}" + --gate "$GATE" \ + --details "$DETAILS" \ + --severity "$SEVERITY" \ + --workflow "$WORKFLOW" diff --git a/.mokogitea/workflows/issue-branch.yml b/.mokogitea/workflows/issue-branch.yml index 11958bd..5ddd539 100644 --- a/.mokogitea/workflows/issue-branch.yml +++ b/.mokogitea/workflows/issue-branch.yml @@ -27,11 +27,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Create branch and comment + env: + ISSUE_TITLE: ${{ github.event.issue.title }} run: | TOKEN="${{ secrets.MOKOGITEA_TOKEN }}" API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}" ISSUE_NUM="${{ github.event.issue.number }}" - ISSUE_TITLE="${{ github.event.issue.title }}" # Build slug from title: lowercase, replace non-alnum with dash, trim SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40) diff --git a/.mokogitea/workflows/pr-check.yml b/.mokogitea/workflows/pr-check.yml index c834bf5..35e2d5a 100644 --- a/.mokogitea/workflows/pr-check.yml +++ b/.mokogitea/workflows/pr-check.yml @@ -30,9 +30,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check branch merge target + env: + HEAD: ${{ github.head_ref }} + BASE: ${{ github.base_ref }} run: | - HEAD="${{ github.head_ref }}" - BASE="${{ github.base_ref }}" echo "PR: ${HEAD} → ${BASE}" -- 2.52.0