fix: pass user inputs via env vars to prevent shell/code injection#1
Open
fix: pass user inputs via env vars to prevent shell/code injection#1
Conversation
All user-controlled inputs (extras, package-dir, output-dir, config-file,
only) were previously interpolated directly into run: directives via
${{ inputs.* }} expressions. This allows command injection:
- inputs.extras was interpolated into a Python heredoc as a string literal,
enabling arbitrary Python/system code execution via string escape.
- inputs.package-dir, output-dir, config-file, and only were interpolated
directly into shell commands; a double-quote in the value breaks out of
the quoting applied by format().
Fix: route all inputs through environment variables. GitHub Actions resolves
env: values safely and the shell reads them via $VAR / $env:VAR, which
is not subject to word splitting or injection regardless of content.
Reported by Contrast Security labs-action-scanner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
All user-controlled inputs (
extras,package-dir,output-dir,config-file,only) were previously interpolated directly intorun:directives via${{ inputs.* }}expressions, enabling command injection.Vulnerabilities fixed
inputs.extras— arbitrary code execution (critical)Interpolated as a string literal inside a Python heredoc. An attacker controlling this input can escape the string and execute arbitrary Python/system commands.
inputs.package-dir,inputs.output-dir,inputs.config-file,inputs.only— argument/shell injectionInterpolated directly into shell
run:steps. A"in any value breaks out of the quoting applied byformat(), enabling flag injection into the cibuildwheel invocation.Fix
Route all inputs through environment variables. The shell reads them via
$VAR/$env:VAR, which is immune to injection regardless of content. Array-based command construction (cmd=()) is used on bash; equivalent on PowerShell.Notes
inputs.extrasnow read from$CIBW_EXTRAS_INPUTenv var in the Python heredoc viaos.environ.get()Reported by Contrast Security labs-action-scanner.