actions/codecov-action
2
0
Fork 0
mirror of https://github.com/codecov/codecov-action.git synced 2026-05-16 00:05:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: prevent template injection in run: steps (VULN-1652) (#1947)
Some checks failed
Workflow for Codecov Action / run (macos-latest) (push) Has been cancelled
Details
Workflow for Codecov Action / run (ubuntu-latest) (push) Has been cancelled
Details
Workflow for Codecov Action / run (windows-latest) (push) Has been cancelled
Details
Workflow for Codecov Action / run-macos-latest-xlarge (push) Has been cancelled
Details
Workflow for Codecov Action / run-container (push) Has been cancelled
Details
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
Details
Workflow for Codecov Action / run-alpine-missing-deps (push) Has been cancelled
Details
Workflow for Codecov Action / run-alpine-success (push) Has been cancelled
Details
Workflow for Codecov Action / run-alpine-partial-deps (push) Has been cancelled
Details
CodeQL / Analyze (push) Has been cancelled
Details

Browse source 
Replace direct ${{ inputs.skip_validation }}, ${{ inputs.use_oidc }},
${{ inputs.token }}, and ${{ env.CODECOV_TOKEN }} interpolation inside
run: shell scripts with env-var indirection. GitHub Actions resolves
template expressions before the shell sees the script, so any consumer
workflow that passes user-controlled data into these inputs could
achieve arbitrary command execution on the runner. Moving the values
into env: entries and referencing them as $INPUT_* shell variables
ensures the shell always treats them as data, not code.
This commit is contained in:
Tom Hu 2026-05-14 03:59:22 +09:00 committed by GitHub
parent 57e3a136b7
commit 51e64229ac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
action.yml
View file

@ -177,6 +177,8 @@ runs:
steps:
- name: Check system dependencies
shell: sh
env:
INPUT_SKIP_VALIDATION: ${{ inputs.skip_validation }}
run: |
missing_deps=""
@ -188,7 +190,7 @@ runs:
done
# Check for gpg only if validation is not being skipped
if [ "${{ inputs.skip_validation }}" != "true" ]; then
if [ "$INPUT_SKIP_VALIDATION" != "true" ]; then
if ! command -v gpg >/dev/null 2>&1; then
missing_deps="$missing_deps gpg"
fi
@ -245,24 +247,27 @@ runs:
- name: Get and set token
shell: bash
run: |
if [ "${{ inputs.use_oidc }}" == 'true' ] && [ "$CC_FORK" != 'true' ];
if [ "$INPUT_USE_OIDC" == 'true' ] && [ "$CC_FORK" != 'true' ];
then
echo "CC_TOKEN=$CC_OIDC_TOKEN" >> "$GITHUB_ENV"
elif [ -n "${{ env.CODECOV_TOKEN }}" ];
elif [ -n "$INPUT_CODECOV_TOKEN" ];
then
echo -e "\033[0;32m==>\033[0m Token set from env"
echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV"
echo "CC_TOKEN=$INPUT_CODECOV_TOKEN" >> "$GITHUB_ENV"
else
if [ -n "${{ inputs.token }}" ];
if [ -n "$INPUT_TOKEN" ];
then
echo -e "\033[0;32m==>\033[0m Token set from input"
CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n')
CC_TOKEN=$(echo "$INPUT_TOKEN" | tr -d '\n')
echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
fi
fi
env:
CC_OIDC_TOKEN: ${{ steps.oidc.outputs.result }}
CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
INPUT_USE_OIDC: ${{ inputs.use_oidc }}
INPUT_TOKEN: ${{ inputs.token }}
INPUT_CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
- name: Override branch for forks
shell: bash