All rules supported by ades
are listed and explained in this document, including an example of how
to address it.
When an expression appears in a run:
directive you can avoid any potential attacks by extracting
the expression into an environment variable and using the environment variable instead.
For example, given the workflow snippet:
- name: Example step
run: |
echo 'Hello ${{ inputs.name }}'
it can be made safer by converting it into:
- name: Example step
env:
NAME: ${{ inputs.name }} # <- Assign the expression to an environment variable
run: |
echo "Hello $NAME"
# ^ ^^^^^
# | | Replace the expression with the environment variable
# |
# | Note: the use of double quotes is required in this example (for interpolation)
When an expression appears in a actions/github-script
script you can avoid any potential attacks
by extracting the expression into an environment variable and using the environment variable
instead.
For example, given the workflow snippet:
- name: Example step
uses: actions/github-script@v6
with:
script: console.log('Hello ${{ inputs.name }}')
it can be made safer by converting it into:
- name: Example step
uses: actions/github-script@v6
env:
NAME: ${{ inputs.name }} # <- Assign the expression to an environment variable
with:
script: console.log(`Hello ${process.env.NAME}`)
# ^ ^^^^^^^^^^^^^^^^^^^
# | | Replace the expression with the environment variable
# |
# | Note: the use of backticks is required in this example (for interpolation)
When an expression appears in the issue close message of roots/issue-closer
it is interpreted as
an ES6-style template literal. You can avoid any potential attacks by extracting the expression into
an environment variable and using the environment variable instead.
For example, given the workflow snippet:
- name: Example step
uses: roots/issue-closer@v1
with:
issue-close-message: Closing ${{ github.event.issue.title }}
it can be made safer by converting it into:
- name: Example step
uses: roots/issue-closer@v1
env:
NAME: ${{ github.event.issue.title }} # <- Assign the expression to an environment variable
with:
issue-close-message: Closing ${process.env.NAME}
# ^^^^^^^^^^^^^^^^^^^
# | Replace the expression with the environment variable
When an expression appears in the pull request close message of roots/issue-closer
it is
interpreted as an ES6-style template literal. You can avoid any potential attacks by extracting the
expression into an environment variable and using the environment variable instead.
For example, given the workflow snippet:
- name: Example step
uses: roots/issue-closer@v1
with:
pr-close-message: Closing ${{ github.event.issue.title }}
it can be made safer by converting it into:
- name: Example step
uses: roots/issue-closer@v1
env:
NAME: ${{ github.event.issue.title }} # <- Assign the expression to an environment variable
with:
pr-close-message: Closing ${process.env.NAME}
# ^^^^^^^^^^^^^^^^^^^
# | Replace the expression with the environment variable
When an expression appears in the command input of sergeysova/jq-action
you can avoid any
potential attack by extracting the expression into an environment variable and using the environment
variable instead.
For example, given the workflow snippet:
- name: Example step
uses: sergeysova/jq-action@v2
with:
cmd: jq .version ${{ github.event.inputs.file }} -r
it can be made safer by converting it into:
- name: Example step
uses: sergeysova/jq-action@v2
env:
FILE: ${{ github.event.inputs.file }} # <- Assign the expression to an environment variable
with:
# | Note: use double quotes to avoid argument splitting
# v
cmd: jq .version "$FILE" -r
# ^^^^^
# | Replace the expression with the environment variable
When an expression is used in the tag input for ericcornelissen/git-tag-annotation-action
in
v1.0.0 or earlier it may be used to execute arbitrary shell commands, see GHSA-hgx2-4pp9-357g. To
mitigate this, upgrade the action to a non-vulnerable version.
When an expression is used in the sha input for kceb/git-message-action
in v1.1.0 or earlier it
may be used to execute arbitrary shell commands (no vulnerability identifier available). To mitigate
this, upgrade the action to a non-vulnerable version.