fix(security): pipe action inputs through env vars (HIGH; shell injection)#3
Merged
Merged
Conversation
…tion)
Per the GitHub Actions security guide, interpolating
`${{ inputs.X }}` directly into a `run:` shell script is a
documented injection vector — a workflow caller passing
e.g. `name: '"; rm -rf /; #'` gets arbitrary shell
execution at the runner.
The pre-existing pattern in `action.yml` was vulnerable on
every input: `command`, `name`, `cron`, `at`, `url`,
`method`, `timezone`, `payload`, `description`, `worker`,
`cue-id`, `status`, `limit`, and `cli-version` — 14 inputs,
all interpolated directly. The `command` interpolation in
the case-statement value was the worst case (a malicious
value like `create) ; rm -rf / ; #` could escape the case
construct entirely).
Fix: declare every caller-supplied input in the step's
`env:` block, reference each in the script as `$VAR_NAME`.
Bash quotes env-var expansion automatically, so `"$NAME"`
is safe regardless of caller input.
This is the same pattern documented at
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
Surfaced in cueapi-secondary's earlier review on PR #2
(2026-05-04 cross-agent review). Filing as a standalone
follow-up so the fix can ship independently of PR #2's
review cadence — the issue exists on main today, every
caller of `cueapi/cueapi-action@v1` is affected.
PR #2 (when it merges) will need to follow the same env-var
pattern for its 16 new input references; the comment block
above the env: section flags this for the maintainer.
No behavior change for legitimate callers — same env-var
expansion, same `cmd=(...)` array assembly, same
invocation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the HIGH shell-injection finding from cueapi-secondary's cross-agent review on PR #2. Pre-existing on main; filing as a standalone follow-up so the fix can ship independently of PR #2's review cadence.
The vulnerability
The current `action.yml` interpolates inputs directly into the bash script:
```yaml
[ -n "${{ inputs.payload }}" ] && cmd+=(--payload "${{ inputs.payload }}")
[ -n "${{ inputs.cue-id }}" ] && cmd+=("${{ inputs.cue-id }}")
```
GitHub Actions documents this as a classic injection vector. A workflow caller passing `payload: '"; rm -rf /; #'` (or any number of variations) gets arbitrary shell execution at the runner.
The worst case is the `command` interpolation in the case-statement value at line 90 — a malicious value like `create) ; rm -rf / ; #` could escape the case construct entirely and execute attacker-controlled commands before the case dispatcher even sees the input.
14 inputs were vulnerable: `command`, `name`, `cron`, `at`, `url`, `method`, `timezone`, `payload`, `description`, `worker`, `cue-id`, `status`, `limit`, `cli-version`. Every caller of `cueapi/cueapi-action@v1` is affected today.
The fix
Pipe every caller-supplied input through env vars in the step's `env:` block, then reference each as `$VAR_NAME` in the script. Bash quotes env-var expansion automatically, so `"$NAME"` is safe regardless of caller input.
This is the documented standard pattern.
```yaml
env:
COMMAND: ${{ inputs.command }}
NAME: ${{ inputs.name }}
...
run: |
set -euo pipefail
cmd=(cueapi "$COMMAND")
case "$COMMAND" in
create)
[ -n "$NAME" ] && cmd+=(--name "$NAME")
# ...
```
A comment block above the `env:` section flags the pattern for future contributors so the vulnerability isn't silently re-introduced when adding new inputs.
Coordination with PR #2
PR #2 (`feat: expose cueapi 0.2.0 fire + executions subgroup commands`) adds 16 new input references on the same vulnerable pattern. When this PR lands first, PR #2 will need a small rebase to follow the env-var pattern for its new inputs — straightforward mechanical change. Filing standalone keeps this fix on its own review track, so the hosted users on `@v1` get the fix even if PR #2 stays in Govind's review queue for a while.
Test plan
Cross-references
🤖 Generated with Claude Code