Run Block Injection

  • Query id: 20f14e1a-a899-4e79-9f09-b6a84cd4649b
  • Query name: Run Block Injection
  • Platform: CICD
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 94
  • URL: Github

Description

GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
name: Web Page To Markdown
on:
  issues:
    types: [opened]
jobs:
  WebPageToMarkdown:
    runs-on: ubuntu-latest
    steps:
      - name: Does the issue need to be converted to markdown
        run: |
          if [ "${{ github.event.issue.body }}" ]; then
            if [[ "${{ github.event.issue.title }}" =~ ^\[Auto\]* ]]; then
              :
            else
              echo "This issue does not need to generate a markdown file." 1>&2
              exit 1;
            fi;
          else
            echo "The description of the issue is empty." 1>&2
            exit 1;
          fi;
        shell: bash
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
      - name: Crawl pages and generate Markdown files
        uses: freeCodeCamp-China/article-webpage-to-markdown-action@v0.1.8
        with:
          newsLink: '${{ github.event.issue.Body }}'
          markDownFilePath: './chinese/articles/'
          githubToken: ${{ github.token }}
      - name: Git Auto Commit
        uses: stefanzweifel/git-auto-commit-action@v4.9.2
        with:
          commit_message: '${{ github.event.issue.title }}'
          file_pattern: chinese/articles/*.md
          commit_user_name: PageToMarkdown Bot
          commit_user_email: PageToMarkdown-bot@freeCodeCamp.org
Positive test num. 2 - yaml file
name: Pull Request Workflow

on:
  pull_request_target:
    types:
      - opened

jobs:
  process_pull_request:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Pull Request Body
        run: |
          echo "Pull Request Body: ${{ github.event.pull_request.body }}"
Positive test num. 3 - yaml file
name: Issue Comment Workflow

on:
  issue_comment:
    types:
      - created

jobs:
  process_issue_comment:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Issue Comment Body
        run: |
          echo "Issue Comment Body: ${{ github.event.comment.body }}"

Positive test num. 4 - yaml file
name: Discussion Workflow

on:
  discussion:
    types:
      - created

jobs:
  process_discussion:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Discussion Title
        run: |
          echo "Discussion Title: ${{ github.event.discussion.title }}"
Positive test num. 5 - yaml file
name: Discussion Comment Workflow

on:
  discussion_comment:
    types:
      - created

jobs:
  process_discussion_comment:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Discussion Comment Body
        run: |
          echo "Discussion Comment Body: ${{ github.event.comment.body }}"
Positive test num. 6 - yaml file
name: Author Workflow

on:
  author:
    types:
      - created

jobs:
  process_author:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Author's Username
        run: |
          echo "Author's Name: ${{ github.event.authors.name }}"
Positive test num. 7 - yaml file
name: Workflow Run Workflow

on:
  workflow_run:
    workflows:
      - "Your Workflow Name" # Replace with the name of your specific workflow

jobs:
  process_workflow_run:
    runs-on: ubuntu-latest
    steps:
      - name: Echo Workflow Run Name
        run: |
          echo "Workflow Run Path: ${{ github.event.workflow.path }}"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
name: check-go-coverage

on:
  pull_request_target:
    branches: [master]

jobs:
  coverage:
    name: Check Go coverage
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Go 1.22.x
        uses: actions/setup-go@v5
        with:
          go-version: 1.22.x
      - name: Run test metrics script
        id: testcov
        run: |
          make test-coverage-report | tee test-results
          echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV
      - name: Checks if Go coverage is at least 80%
        if: env.coverage < 80
        run: |
          echo "Go coverage is lower than 80%: ${{ env.coverage }}%"
          exit 1
Negative test num. 2 - yaml file
name: Issue Workflow

on:
  issues:
    types:
      - opened

jobs:
  process_issue:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Issue
        run: |
          # Echo a simple sentence
          echo "Hello, a new issue has been opened!"
Negative test num. 3 - yaml file
name: Discussion Workflow

on:
  discussion:
    types:
      - created

jobs:
  process_discussion:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Discussion
        run: |
          echo "Hello, a new discussion has been created!"

Negative test num. 4 - yaml file
name: Issue Comment Workflow

on:
  issue_comment:
    types:
      - created

jobs:
  process_issue_comment:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Issue Comment
        run: |
          echo "Hello, a new issue comment has been created!"
Negative test num. 5 - yaml file
name: Discussion Comment Workflow

on:
  discussion_comment:
    types:
      - created

jobs:
  process_discussion_comment:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Discussion Comment
        run: |
          echo "Hello, a new discussion comment has been created!"
Negative test num. 6 - yaml file
name: Author Workflow

on:
  author:
    types:
      - created

jobs:
  process_author:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Author
        run: |
          echo "Hello, a new author has been created!"
Negative test num. 7 - yaml file
name: Workflow Run Workflow

on:
  workflow_run:
    workflows:
      - "Your Workflow Name" # Replace with the name of your specific workflow

jobs:
  process_workflow_run:
    runs-on: ubuntu-latest
    steps:
      - name: Greet the New Workflow Run
        run: |
          echo "Hello, a new workflow run has started for 'Your Workflow Name'!"