Skip to content

fix: prevent GitHub Actions expression injection via tag name in Release workflow#21

Merged
igraovac-bsci merged 1 commit into
mainfrom
fix-gh-workflow
Jul 6, 2026
Merged

fix: prevent GitHub Actions expression injection via tag name in Release workflow#21
igraovac-bsci merged 1 commit into
mainfrom
fix-gh-workflow

Conversation

@igraovac-bsci

Copy link
Copy Markdown
Contributor

Summary

Fixes a critical GitHub Actions expression injection in the Release workflow (.github/workflows/release.yml).

The Prepare workspace snippet step interpolated the tag name directly into a shell command using expression syntax:

run: .github/workflows/workspace_snippet.sh ${{ env.GITHUB_REF_NAME }} > release_notes.txt

GitHub evaluates ${{ }} before the shell runs, pasting the raw tag name into the command line. Because the Release workflow triggers on v*.*.* tag pushes and tag names can contain shell metacharacters (;, backticks, &&, |, $()), a crafted tag could execute arbitrary commands on the runner — with access to that job's GITHUB_TOKEN and any secrets in the environment.

Fix

Bind the ref name to an environment variable and reference it as a quoted shell variable, so GitHub never substitutes untrusted text into the shell command:

- name: Prepare workspace snippet
  env:
      GITHUB_REF_NAME: ${{ github.ref_name }}
  run: .github/workflows/workspace_snippet.sh "$GITHUB_REF_NAME" > release_notes.txt

This is GitHub's recommended remediation pattern for untrusted input in run: steps. The value is now passed to the shell at runtime as inert data; metacharacters are treated literally.

Test plan

  • Verify the Release workflow still produces release_notes.txt on a normal tag (e.g. v1.2.3).
  • Confirm a tag containing shell metacharacters no longer executes injected commands (treated as literal data).

Made with Cursor

The Prepare workspace snippet step interpolated ${{ env.GITHUB_REF_NAME }}
directly into the shell command, allowing a crafted tag name to execute
arbitrary commands on the runner and steal GITHUB_TOKEN. Pass the ref name
through an environment variable and reference it as a quoted shell variable
instead.

Co-authored-by: Cursor <cursoragent@cursor.com>
@igraovac-bsci igraovac-bsci merged commit 8a322a7 into main Jul 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants