Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

template-injection: investigate other sinks #417

Open
2 tasks done
woodruffw opened this issue Jan 10, 2025 · 1 comment
Open
2 tasks done

template-injection: investigate other sinks #417

woodruffw opened this issue Jan 10, 2025 · 1 comment
Labels
enhancement New feature or request false-negative

Comments

@woodruffw
Copy link
Owner

woodruffw commented Jan 10, 2025
edited
Loading

Right now we support run: and actions/github-script as potential "sinks" where template injection can occur, but there are others:

  • azure/powershell: runs powershell scripts
  • azure/cli: runs bash scripts

xref https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/
@woodruffw woodruffw added enhancement New feature or request false-negative labels Jan 10, 2025
@woodruffw
Copy link
Owner Author

GitHub appears to define their collected ones here: https://github.com/github/codeql/tree/fcf6c3c4e83f127aea9ce5aed3e0ceb4feb65bc5/actions/ql/lib/ext

@woodruffw woodruffw mentioned this issue Jan 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request false-negative
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodruffw