fix(security): prevent Actions script injection in workflows #326
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 jmiller
|
113af457d9 |
fix(security): prevent Actions script injection in workflows
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 7s
Generic: Project CI / Lint & Validate (pull_request) Successful in 23s
Platform: mokocli CI / Gate 1: Code Quality (pull_request) Failing after 1m12s
pr-check.yml / Branch Policy (pull_request) Has been cancelled
Universal: PR Check / Secret Scan (pull_request) Has been cancelled
Universal: PR Check / Validate PR (pull_request) Has been cancelled
Generic: Repo Health / Access control (pull_request) Has been cancelled
Generic: Repo Health / Site Health (pull_request) Has been cancelled
Branch Cleanup / Delete merged branch (pull_request) Has been cancelled
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Has been cancelled
Generic: Project CI / Tests (pull_request) Has been cancelled
Platform: mokocli CI / Gate 2: Unit Tests (8.1) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 2: Unit Tests (8.2) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 2: Unit Tests (8.3) (pull_request) Has been cancelled
Platform: mokocli CI / Gate 3: Self-Health Check (pull_request) Has been cancelled
Platform: mokocli CI / Gate 4: Governance (pull_request) Has been cancelled
Platform: mokocli CI / Gate 5: Template Integrity (pull_request) Has been cancelled
Platform: mokocli CI / CI Summary (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
RC Revert / Rename rc/ back to dev/ (pull_request) Has been cancelled
Untrusted ${{ }} expressions (issue titles, PR head refs, reusable-workflow
inputs) were interpolated directly into run: shell bodies, allowing command
injection. Each is now passed through an env: block and referenced as a shell
variable in the script (env vars are not subject to ${{ }} expansion).
Files:
- ci-issue-reporter.yml inputs.gate/details/severity/workflow
- issue-branch.yml github.event.issue.title
- branch-cleanup.yml github.event.pull_request.head.ref
- pr-check.yml github.head_ref / github.base_ref
- auto-release.yml github.event.pull_request.head.ref (x2)
Propagates to all template consumers via the workflow sync.
Refs MokoConsulting/Template-Joomla#35.
Authored-by: Moko Consulting
|