Confirmed users
21
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
Jump to navigation
Jump to search
m
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 08:21, 6 October 2025
, 6 October 2025Adding notes on github output parameters
m (fix code in the example) |
m (Adding notes on github output parameters) |
||
| Line 210: | Line 210: | ||
run: | | run: | | ||
echo "notes: $NOTES" | echo "notes: $NOTES" | ||
</syntaxhighlight> | |||
==== Github workflow output parameters ==== | |||
Github provides a [https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/pass-job-outputs method] for passing information between jobs in the workflow. Previously, developers relied on passing this information using environment parameters by setting a parameter in <code>GITHUB_ENV</code>. For [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0 example]: | |||
<syntaxhighlight lang="bash"> | |||
run:| | |||
echo "pr_number=$(cat NR)" >> $GITHUB_ENV | |||
</syntaxhighlight> | |||
In this example, if a malicious attacker was able to control the value of the NR variable, then they can inject additional environment variables which could lead to malicious command execution. | |||
The remediation for this issue is to use the Github output file instead of the environment variables to prevent compromising the variables set in the environment in more privileged contexts, in addition to performing validation and encoding similar to all externally-controlled Github parameters. | |||
<syntaxhighlight lang="bash"> | |||
run:| | |||
echo "pr_number=$(cat NR)" >> $GITHUB_OUTPUT | |||
</syntaxhighlight> | |||
The parameter can be later used in subsequent jobs using: <code>steps.step_id.outputs.pr_number</code> | |||
<syntaxhighlight lang="bash"> | |||
steps: | |||
env: | |||
PR_NUMBER: ${{ steps.step_id.outputs.pr_number }} | |||
run: | | |||
echo "$PR_NUMBER" | |||
</syntaxhighlight> | </syntaxhighlight> | ||