Skip to content

Prevent script injection in GitHub Actions workflows#939

Merged
ShubhamChaturvedi7 merged 1 commit into
mainlinefrom
fix/gha-script-injection-V2263272257
Jul 16, 2026
Merged

Prevent script injection in GitHub Actions workflows#939
ShubhamChaturvedi7 merged 1 commit into
mainlinefrom
fix/gha-script-injection-V2263272257

Conversation

@ShubhamChaturvedi7

@ShubhamChaturvedi7 ShubhamChaturvedi7 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes a script injection in GitHub Actions workflows finding. Untrusted, user-controlled GitHub context values were interpolated directly into inline run: shell scripts, allowing command injection on the runner. Each such value is now bound to an intermediate env: variable and referenced as a properly quoted shell variable (data, not script text) — the mitigation recommended by GitHub's hardening guide.

Changes

  • .github/workflows/go-release.yml — move github.event.inputs.project-name / version into env: in the Get release directory name, Run Go release automation script, and print diff steps; quote all shell references.
  • .github/workflows/smithy-diff.yml — move github.event.pull_request.user.login, github.actor, and github.repository into env: in the comment step.

Testing

  • Verified both files parse as valid YAML.
  • Confirmed no github.event.* / github.actor interpolation remains inside any run: block (all remaining references are within env: blocks).

sim: https://t.corp.amazon.com/V2263272257

Bind untrusted GitHub context values to intermediate environment
variables instead of interpolating them directly into inline run
scripts. User-controlled inputs (workflow_dispatch inputs and
pull_request event fields) spliced into shell scripts allow command
injection on the runner.

- go-release.yml: move github.event.inputs.project-name/version into
  env vars in the release-dir, run-release, and print-diff steps; quote
  all shell references
- smithy-diff.yml: move github.event.pull_request.user.login,
  github.actor, and github.repository into env vars in the comment step

Addresses AWS AppSec ACAT finding (Script Injection in GitHub Actions
workflows).

sim: https://t.corp.amazon.com/V2263272257
@ShubhamChaturvedi7
ShubhamChaturvedi7 requested a review from a team as a code owner July 15, 2026 22:31
@ShubhamChaturvedi7
ShubhamChaturvedi7 merged commit a74c0f2 into mainline Jul 16, 2026
84 checks passed
@ShubhamChaturvedi7
ShubhamChaturvedi7 deleted the fix/gha-script-injection-V2263272257 branch July 16, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants