Security: Actions script injection in workflows (untrusted ${{ }} interpolated into run:) #35

New Issue

2026-06-29T15:45:33Z

jmiller commented

2026-06-29 15:45:33 +00:00

Summary

Several .mokogitea/workflows/*.yml interpolate untrusted ${{ ... }} expressions directly into run: shell bodies, which allows shell command injection (a crafted branch name, issue title, or workflow_call input can break out of the quotes). Because these workflows are template-sourced and synced downstream (e.g. into MokoSuiteCommunity), the fix belongs here (and ultimately in MokoCLI, the canonical source per the file headers) so it propagates and isn't reverted on the next sync.

Affected (verified in MokoSuiteCommunity's synced copy)

File	Line(s)	Untrusted value
`ci-issue-reporter.yml`	run block	`inputs.details`, `inputs.gate`, `inputs.severity`, `inputs.workflow` (flagged by automated review)
`issue-branch.yml`	~34	`github.event.issue.title`
`branch-cleanup.yml`	~34	`github.event.pull_request.head.ref`
`pr-check.yml`	~34	`github.head_ref`
`auto-release.yml`	~103, ~229	`github.event.pull_request.head.ref`

*.sha / *.number interpolations are not exploitable (hex/integer). Note rc-revert.yml and ci-joomla.yml already use the safe env: pattern — apply it consistently.

Fix

Pass each untrusted value via an env: block and reference the environment variable inside the script (env vars are not subject to ${{ }} expansion):

- name: ...
  env:
    GATE: ${{ inputs.gate }}
    DETAILS: ${{ inputs.details }}
  run: |
    some_script --gate "$GATE" --details "$DETAILS"

Notes

Mirror upstream to MokoCLI (cli//workflow source) so all template consumers inherit the fix.

Raised from automated security review during MokoSuiteCommunity work.

## Summary Several `.mokogitea/workflows/*.yml` interpolate **untrusted** `${{ ... }}` expressions directly into `run:` shell bodies, which allows shell command injection (a crafted branch name, issue title, or `workflow_call` input can break out of the quotes). Because these workflows are template-sourced and synced downstream (e.g. into MokoSuiteCommunity), the fix belongs **here** (and ultimately in MokoCLI, the canonical source per the file headers) so it propagates and isn't reverted on the next sync. ## Affected (verified in MokoSuiteCommunity's synced copy) | File | Line(s) | Untrusted value | |---|---|---| | `ci-issue-reporter.yml` | run block | `inputs.details`, `inputs.gate`, `inputs.severity`, `inputs.workflow` (flagged by automated review) | | `issue-branch.yml` | ~34 | `github.event.issue.title` | | `branch-cleanup.yml` | ~34 | `github.event.pull_request.head.ref` | | `pr-check.yml` | ~34 | `github.head_ref` | | `auto-release.yml` | ~103, ~229 | `github.event.pull_request.head.ref` | `*.sha` / `*.number` interpolations are not exploitable (hex/integer). Note `rc-revert.yml` and `ci-joomla.yml` already use the safe `env:` pattern — apply it consistently. ## Fix Pass each untrusted value via an `env:` block and reference the **environment variable** inside the script (env vars are not subject to `${{ }}` expansion): ```yaml - name: ... env: GATE: ${{ inputs.gate }} DETAILS: ${{ inputs.details }} run: | some_script --gate "$GATE" --details "$DETAILS" ``` ## Notes - Mirror upstream to **MokoCLI** (`cli/`/workflow source) so all template consumers inherit the fix. _Raised from automated security review during MokoSuiteCommunity work._

jmiller added the security label 2026-06-29 15:51:25 +00:00

jmiller referenced this issue from a commit

2026-06-29 16:18:27 +00:00

fix(security): prevent Actions script injection in workflows

jmiller commented

2026-06-29 16:19:51 +00:00

Fixed at the canonical source in MokoCLI — PR MokoConsulting/MokoCLI#326 (merged to main). All five workflows (ci-issue-reporter, issue-branch, branch-cleanup, pr-check, auto-release) now pass untrusted ${{ }} values through env: blocks instead of interpolating them into run: shell bodies.

Since MokoCLI distributes .mokogitea/workflows/* to this repo via the workflow sync, the hardened versions will land here automatically on the next sync (no manual change needed in Template-Joomla). Closing as resolved upstream.

Fixed at the canonical source in **MokoCLI** — PR MokoConsulting/MokoCLI#326 (merged to `main`). All five workflows (`ci-issue-reporter`, `issue-branch`, `branch-cleanup`, `pr-check`, `auto-release`) now pass untrusted `${{ }}` values through `env:` blocks instead of interpolating them into `run:` shell bodies. Since MokoCLI distributes `.mokogitea/workflows/*` to this repo via the workflow sync, the hardened versions will land here automatically on the next sync (no manual change needed in Template-Joomla). Closing as resolved upstream.

jmiller closed this issue

2026-06-29 16:20:02 +00:00

Sign in to join this conversation.

Priority Medium

Type Feature

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/Template-Joomla#35