fix(security): prevent Actions script injection in workflows #326

Merged

jmiller merged 1 commits from fix/workflow-actions-injection into main 2026-06-29 16:19:28 +00:00

Conversation 0 Commits 1 Files Changed 5

+20 -10

jmiller commented 2026-06-29 16:18:49 +00:00

Owner

Copy Link

Copy Source

Summary

Fixes the canonical source of the Actions script-injection vulnerability tracked in MokoConsulting/Template-Joomla#35. Untrusted ${{ }} expressions were interpolated directly into run: shell bodies, allowing command injection via a crafted issue title, PR head ref, or reusable-workflow input. Each is now passed through an env: block and referenced as a shell variable (env vars are not subject to ${{ }} expansion).

Because MokoCLI is the upstream that distributes .mokogitea/workflows/* to Template-Joomla and all consumer repos via the workflow sync, fixing it here propagates the fix everywhere (and won't be reverted on the next sync).

Changes (5 files, +20/−10)

Workflow	Untrusted value moved to env:
ci-issue-reporter.yml	inputs.gate / details / severity / workflow
issue-branch.yml	github.event.issue.title
branch-cleanup.yml	github.event.pull_request.head.ref
pr-check.yml	github.head_ref / github.base_ref
auto-release.yml	github.event.pull_request.head.ref (×2)

*.sha / *.number interpolations were left as-is (hex/integer — not exploitable). if: expression contexts (e.g. branch-cleanup's guards) are not shell and were not changed.

Verification

• All 5 files parse as valid YAML.
• No untrusted ${{ }} remains inside any run: assignment; run bodies now reference $GATE, $DETAILS, $ISSUE_TITLE, $BRANCH, $HEAD/$BASE, $HEAD_REF.

Closes the upstream half of Template-Joomla#35.

## Summary Fixes the canonical source of the Actions **script-injection** vulnerability tracked in `MokoConsulting/Template-Joomla#35`. Untrusted `${{ }}` expressions were interpolated directly into `run:` shell bodies, allowing command injection via a crafted issue title, PR head ref, or reusable-workflow input. Each is now passed through an `env:` block and referenced as a shell variable (env vars are **not** subject to `${{ }}` expansion). Because MokoCLI is the upstream that distributes `.mokogitea/workflows/*` to Template-Joomla and all consumer repos via the workflow sync, fixing it here propagates the fix everywhere (and won't be reverted on the next sync). ## Changes (5 files, +20/−10) | Workflow | Untrusted value moved to `env:` | |---|---| | `ci-issue-reporter.yml` | `inputs.gate` / `details` / `severity` / `workflow` | | `issue-branch.yml` | `github.event.issue.title` | | `branch-cleanup.yml` | `github.event.pull_request.head.ref` | | `pr-check.yml` | `github.head_ref` / `github.base_ref` | | `auto-release.yml` | `github.event.pull_request.head.ref` (×2) | `*.sha` / `*.number` interpolations were left as-is (hex/integer — not exploitable). `if:` expression contexts (e.g. branch-cleanup's guards) are not shell and were not changed. ## Verification - All 5 files parse as valid YAML. - No untrusted `${{ }}` remains inside any `run:` assignment; run bodies now reference `$GATE`, `$DETAILS`, `$ISSUE_TITLE`, `$BRANCH`, `$HEAD`/`$BASE`, `$HEAD_REF`. Closes the upstream half of Template-Joomla#35.

jmiller added 1 commit 2026-06-29 16:18:49 +00:00

fix(security): prevent Actions script injection in workflows ... 113af457d9

Untrusted ${{ }} expressions (issue titles, PR head refs, reusable-workflow
inputs) were interpolated directly into run: shell bodies, allowing command
injection. Each is now passed through an env: block and referenced as a shell
variable in the script (env vars are not subject to ${{ }} expansion).

Files:
- ci-issue-reporter.yml  inputs.gate/details/severity/workflow
- issue-branch.yml       github.event.issue.title
- branch-cleanup.yml     github.event.pull_request.head.ref
- pr-check.yml           github.head_ref / github.base_ref
- auto-release.yml       github.event.pull_request.head.ref (x2)

Propagates to all template consumers via the workflow sync.
Refs MokoConsulting/Template-Joomla#35.

Authored-by: Moko Consulting

jmiller merged commit 9fdd6c5cf9 into main 2026-06-29 16:19:28 +00:00

jmiller deleted branch fix/workflow-actions-injection 2026-06-29 16:19:29 +00:00

jmiller referenced this pull request from MokoConsulting/Template-Joomla 2026-06-29 16:19:51 +00:00

Security: Actions script injection in workflows (untrusted ${{ }} interpolated into run:) #35

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

automation

Automated processes or scripts

breaking-change

Breaking API or functionality change

build

Build system changes

ci-cd

CI/CD pipeline changes

config

Configuration file changes

css

CSS/styling changes

dependencies

Dependency updates

deploy-failure

Automated deploy failure tracking

docker

Docker configuration changes

documentation

Documentation changes

dolibarr

Dolibarr module or extension

generic

Generic project or library

good first issue

Good for newcomers

health-check

Repository health check results

health: excellent

Health score 90-100

health: fair

Health score 50-69

health: good

Health score 70-89

health: poor

Health score below 50

help wanted

Extra attention needed

html

HTML template changes

javascript

JavaScript code changes

joomla

Joomla extension or component

mokostandards

MokoStandards compliance

needs-review

Awaiting code review

php

PHP code changes

push-failure

File push failure requiring attention

python

Python code changes

security

Security-related changes

size/l

Large change (101-300 lines)

size/m

Medium change (31-100 lines)

size/s

Small change (11-30 lines)

size/xl

Extra large change (301-1000 lines)

size/xs

Extra small change (1-10 lines)

size/xxl

Extremely large change (1000+ lines)

standards-drift

Repository drifted from MokoStandards

standards-update

MokoStandards sync update

sync-failure

Bulk sync failure requiring attention

sync-report

Bulk sync run report

template-validation-failure

Template workflow validation failure

tests

Test suite changes

type: bug

Something isn't working

type: chore

Maintenance tasks

type: enhancement

Enhancement to existing feature

type: feature

New feature or request

type: refactor

Code refactoring

type: version

Version-related change

typescript

TypeScript code changes

version

Version bump or release

version-drift

Version mismatch detected

work-in-progress

Work in progress, not ready for merge

No labels

Priority -

Type -

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoCLI#326