fix: mitigate shell injection in discussion workflow (MSRC 110700)#360
Open
nicholasdbrady wants to merge 1 commit intomainfrom
Open
fix: mitigate shell injection in discussion workflow (MSRC 110700)#360nicholasdbrady wants to merge 1 commit intomainfrom
nicholasdbrady wants to merge 1 commit intomainfrom
Conversation
Move user-controlled GitHub Actions expressions (${{ github.event.discussion.* }})
from inline shell interpolation to env: variables to prevent shell injection.
Use jq for safe JSON payload construction instead of string concatenation.
Previously, discussion title/number/url were interpolated directly into a
bash run: block via ${{ }} expansion. An attacker could craft a discussion
title to break out of single quotes and execute arbitrary commands,
potentially exfiltrating the FOUNDRY_DOCS_DISPATCH_TOKEN secret.
Fix details:
- All user-controlled expressions moved to env: block (safe from shell interpretation)
- JSON payload built with jq --arg/--argjson (proper escaping of all special chars)
- curl uses -fsS flags to fail loudly on HTTP errors
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a critical shell injection vulnerability in
.github/workflows/on-discussion-created.yml(MSRC Case 110700).Vulnerability
The "Dispatch to foundry-docs" step interpolated user-controlled
${{ github.event.discussion.* }}expressions directly into a bashrun:block. Since GitHub Actions expands${{ }}before the shell runs, an attacker could create a discussion with a crafted title to break out of single quotes and execute arbitrary commands on the runner — potentially exfiltrating theFOUNDRY_DOCS_DISPATCH_TOKENsecret.Attack vector: Any user can create a discussion on this public repository (no permissions required).
Fix
env:variables — values are set as environment variables and are NOT subject to shell interpretationjqusing--arg/--argjson— proper escaping of all special characters (quotes, backticks,$, etc.)curl -fsS— fail loudly on HTTP errors instead of silent failureTesting
The fix has been validated through code review and rubber-duck analysis. The
jqtool is pre-installed on GitHub-hostedubuntu-latestrunners.