[task] Fix template injection in MCP server configuration generation #2865
Description
Objective
Fix template injection vulnerabilities in MCP server configuration generation across all workflows. This is the most common pattern (74 occurrences) where GitHub Actions expressions are used unsafely in run: blocks.
Context
Security scan identified 176 template injection vulnerabilities, with the majority occurring in MCP server configuration generation. These vulnerabilities allow attackers to inject arbitrary commands by controlling environment variables or GitHub context values.
Related to discussion #2855 (Zizmor Security Analysis Report).
Approach
Pattern to Fix
Before (Vulnerable):
run: |
cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF
{
"mcpServers": {
"safeoutputs": {
"env": {
"GH_AW_ASSETS_BRANCH": "${{ env.GH_AW_ASSETS_BRANCH }}",
"GH_AW_ASSETS_MAX_SIZE_KB": "${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}"
}
}
}
}
EOFAfter (Secure):
env:
ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }}
ASSETS_MAX_SIZE: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }}
run: |
cat > /tmp/gh-aw/mcp-config/mcp-servers.json << EOF
{
"mcpServers": {
"safeoutputs": {
"env": {
"GH_AW_ASSETS_BRANCH": "$ASSETS_BRANCH",
"GH_AW_ASSETS_MAX_SIZE_KB": "$ASSETS_MAX_SIZE"
}
}
}
}
EOFFiles to Modify
Search all .lock.yml files for the pattern:
grep -r "GH_AW_ASSETS_BRANCH.*\${{" .github/workflows/*.lock.ymlPrimary focus workflows:
smoke-detector.lock.ymldev-hawk.lock.ymlci-doctor.lock.ymlscout.lock.yml- All other workflows with MCP server configuration steps
Acceptance Criteria
- All MCP server configuration steps use
env:block for GitHub expressions - No
${{ ... }}expressions remain in HERE documents or JSON generation - Re-run
zizmorscan shows reduction in template-injection findings for MCP config - Workflows continue to function correctly after fixes
- Compile all workflows with
gh aw compileto ensure no syntax errors
Related to 🔒 Zizmor Security Analysis Report - 2025-10-31 #2855
AI generated by Plan Command for discussion #2855