Skip to content

fix: mitigate command injection risk in background tasks workflow#13673

Open
MatrixNeoKozak wants to merge 1 commit into
MicrosoftDocs:mainfrom
MatrixNeoKozak:fix/improvement-1782321474485
Open

fix: mitigate command injection risk in background tasks workflow#13673
MatrixNeoKozak wants to merge 1 commit into
MicrosoftDocs:mainfrom
MatrixNeoKozak:fix/improvement-1782321474485

Conversation

@MatrixNeoKozak

Copy link
Copy Markdown

In the GitHub Actions workflow BackgroundTasks.yml, the Save payload data step expands the PayloadJson environment variable directly in a bash command via echo $PayloadJson. Because this workflow is triggered on pull_request_target, an external contributor can control properties within the github context (such as pull request titles, descriptions, or branch names). If any of these fields contain special characters like semicolons, backticks, or shell evaluation sequences, they are evaluated by the shell, leading to a command injection vulnerability. This is resolved by writing the environment variable directly using printenv PayloadJson > ./pr/PayloadJson.json, which avoids shell evaluation of the variable's contents.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 6dcc62e:

✅ Validation status: passed

File Status Preview URL Details
.github/workflows/BackgroundTasks.yml ✅Succeeded

For more details, please refer to the build report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant