GHA-SEC002Untrusted Input in Shell Commands
Problem Statement
Untrusted GitHub event fields can be used for injection if unsanitized.
Vulnerability
Shell Injection Attacks
Code Examples
Insecure Implementation
- run: echo "${{ github.event.pull_request.title }}"Secure Implementation
- run: |
title="${{ github.event.pull_request.title }}"
echo "Received title"Remediation Steps
- Assign untrusted inputs to local variables.
- Avoid using direct command interpolation.
- Validate and sanitize inputs wherever possible.