Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Detect expression injection in service options #22

Open
johnbillion opened this issue Dec 16, 2024 · 2 comments
Open

Feature request: Detect expression injection in service options #22

johnbillion opened this issue Dec 16, 2024 · 2 comments

Comments

@johnbillion
Copy link
Contributor

johnbillion commented Dec 16, 2024
edited
Loading

GitHub Actions workflows supports a services directive to start containers. Each service can be provided an options argument as a string which is passed to the docker command when starting the container. Here's an example:

services:
  database:
    image: mysql:5.7
    options: >-
      --health-cmd="mysqladmin ping"
      --health-interval="30s"
      --health-timeout="10s"
      --health-retries="5"
      --entrypoint "${{ matrix.entrypoint }}"

This example contains an expression injection vulnerability via the matrix value. It would be great if Octoscan could detect this and flag it as an error just as it does for expressions in run directives.
@hugo-syn
Copy link
Collaborator

Should not be to complicated to implement I'll do this :)

@hugo-syn
Copy link
Collaborator

Hi @johnbillion could you try commit 92bfbdb and tell me if it's good for you ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnbillion @hugo-syn