Run Block Injection
- Query id: 20f14e1a-a899-4e79-9f09-b6a84cd4649b
- Query name: Run Block Injection
- Platform: CICD
- Severity: Medium
- Category: Insecure Configurations
- CWE: 94
- URL: Github
Description¶
GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: Web Page To Markdown
on:
issues:
types: [opened]
jobs:
WebPageToMarkdown:
runs-on: ubuntu-latest
steps:
- name: Does the issue need to be converted to markdown
run: |
if [ "${{ github.event.issue.body }}" ]; then
if [[ "${{ github.event.issue.title }}" =~ ^\[Auto\]* ]]; then
:
else
echo "This issue does not need to generate a markdown file." 1>&2
exit 1;
fi;
else
echo "The description of the issue is empty." 1>&2
exit 1;
fi;
shell: bash
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
- name: Crawl pages and generate Markdown files
uses: freeCodeCamp-China/article-webpage-to-markdown-action@v0.1.8
with:
newsLink: '${{ github.event.issue.Body }}'
markDownFilePath: './chinese/articles/'
githubToken: ${{ github.token }}
- name: Git Auto Commit
uses: stefanzweifel/git-auto-commit-action@v4.9.2
with:
commit_message: '${{ github.event.issue.title }}'
file_pattern: chinese/articles/*.md
commit_user_name: PageToMarkdown Bot
commit_user_email: PageToMarkdown-bot@freeCodeCamp.org
Positive test num. 2 - yaml file
name: Pull Request Workflow
on:
pull_request_target:
types:
- opened
jobs:
process_pull_request:
runs-on: ubuntu-latest
steps:
- name: Echo Pull Request Body
run: |
echo "Pull Request Body: ${{ github.event.pull_request.body }}"
Positive test num. 3 - yaml file
name: Issue Comment Workflow
on:
issue_comment:
types:
- created
jobs:
process_issue_comment:
runs-on: ubuntu-latest
steps:
- name: Echo Issue Comment Body
run: |
echo "Issue Comment Body: ${{ github.event.comment.body }}"
Positive test num. 4 - yaml file
Positive test num. 5 - yaml file
Positive test num. 6 - yaml file
Positive test num. 7 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: check-go-coverage
on:
pull_request_target:
branches: [master]
jobs:
coverage:
name: Check Go coverage
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go 1.22.x
uses: actions/setup-go@v5
with:
go-version: 1.22.x
- name: Run test metrics script
id: testcov
run: |
make test-coverage-report | tee test-results
echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV
- name: Checks if Go coverage is at least 80%
if: env.coverage < 80
run: |
echo "Go coverage is lower than 80%: ${{ env.coverage }}%"
exit 1
Negative test num. 2 - yaml file
name: Issue Workflow
on:
issues:
types:
- opened
jobs:
process_issue:
runs-on: ubuntu-latest
steps:
- name: Greet the New Issue
run: |
# Echo a simple sentence
echo "Hello, a new issue has been opened!"
Negative test num. 3 - yaml file
name: Discussion Workflow
on:
discussion:
types:
- created
jobs:
process_discussion:
runs-on: ubuntu-latest
steps:
- name: Greet the New Discussion
run: |
echo "Hello, a new discussion has been created!"
Negative test num. 4 - yaml file
Negative test num. 5 - yaml file
Negative test num. 6 - yaml file
Negative test num. 7 - yaml file
name: Workflow Run Workflow
on:
workflow_run:
workflows:
- "Your Workflow Name" # Replace with the name of your specific workflow
jobs:
process_workflow_run:
runs-on: ubuntu-latest
steps:
- name: Greet the New Workflow Run
run: |
echo "Hello, a new workflow run has started for 'Your Workflow Name'!"