Public Access
fix(ci): harden ci-issue-reporter.yml against Actions injection #353
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The
ci-issue-reporter.ymlreusable workflow passesworkflow_callinputs directly intorun:blocks via${{ inputs.* }}interpolation. This is a known GitHub/Gitea Actions injection vector -- a crafted input string could break out of the shell argument and execute arbitrary commands.Affected Lines
Also the URL interpolation in the clone step:
Fix
Pass all inputs and vars through the
env:block and reference them as shell variables, which are not interpolated at YAML-parse time:The clone step already uses
env:forMOKOGIT_URLbut then overrides it with direct interpolation in therun:block. Remove the inline reassignment and use the env var directly.Scope
This file lives in MokoCLI and is synced to all product repos via workflow-sync. Fixing it here propagates the fix everywhere on next sync.
Branch created:
feature/353-fix-ci-harden-ci-issue-reporter-yml-agaiResolved: ci-issue-reporter.yml routes workflow_call inputs through env: (no inline ${{ inputs.* }} in run:), merged to all 5 template mains. Closing.