New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: checking workflow inputs for Untrusted input #385
Comments
Thanks for your suggestion. I agree that workflow inputs can be untrusted since an untrusted value may be derived from other context properties. It depends on how the input is used in caller site. For example, using Caller: jobs:
call-workflow1:
uses: org/repo/.github/workflows/reusable-workflow.yml@main
with:
# The input `foo` is untrusted
foo: ${{ github.event.issue.body }}
call-workflow2:
uses: org/repo/.github/workflows/reusable-workflow.yml@main
with:
# The input `foo` is not untrusted
foo: test Callee: on:
workflow_call:
inputs:
foo:
type: string
jobs:
test:
runs-on: ubuntu-latest
steps:
# This `inputs.foo` access may or may not be untrusted
- run: echo ${{ inputs.foo }} The option is always reporting that the input is untrusted. This means it would cause so many false-positives since actionlint reports an error whenever any input is used in |
Action lint already does this for the github context, could/should it consider workflow input fields as "untrusted" as well? I don't mind making a PR for this as well if needed.
#19
The text was updated successfully, but these errors were encountered: