ghas-jira-integration icon indicating copy to clipboard operation
ghas-jira-integration copied to clipboard
verified publisher icon github

Securing input values

Open cmboling opened this issue 4 years ago • 3 comments

Adding documentation to provide guidance on how to avoid injections using this action. Adding intermediate environment variables will help avoid this issue.

The other approach is to refactor the action.yml, and let the action directly use the envs, provided the envs are absolutely set by users who are using this action. Keep in mind this approach would be a breaking change.

Let me know if you have a preference for either approach or have another idea. 🤞🏼

cmboling avatar Mar 04 '22 08:03 cmboling

@cmboling Thanks, I agree that this should be improved indeed.

I am not sure I understand your second suggestions. Couldn't we just use this to modify the action along the lines of:

name: 'Test action'
description: "Testing"
inputs:
  jira_url:
    description: 'URL of the JIRA instance'
    required: true
runs:
  using: composite
  steps:
  - name: Run a test
    env:
      JIRA_URL: '${{ inputs.jira_url }}'
    shell: bash
    run: |
      echo "$JIRA_URL"

I believe this wouldn't break anything while fixing the issue or am I missing a detail?

By the way: It's a shame to see you leave! I wish you good luck with whatever you will be doing next!

zbazztian avatar Mar 07 '22 05:03 zbazztian

Ahh yea very true!!! Not sure what I was thinking when I originally thought about the issue, but yea I definitely think your code snippet actually resolves the issue! 💯

cmboling avatar Mar 08 '22 05:03 cmboling

I created a PR for the changes. I reckon you are off this project now, so did not mention you there. This is just FYI. I plan to create a new release once it is merged. Cheers!

zbazztian avatar Mar 11 '22 07:03 zbazztian