Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive warning for using github.head_ref in if statement #443

Open
ryo-kozin opened this issue Aug 27, 2024 · 1 comment
Open

False positive warning for using github.head_ref in if statement #443

ryo-kozin opened this issue Aug 27, 2024 · 1 comment

Comments

@ryo-kozin
Copy link

Description:

When using actionlint to check GitHub Actions workflows, I encountered a warning indicating that github.head_ref is potentially untrusted when used directly in an inline script. However, this warning appears even when github.head_ref is used inside an if statement in the workflow file.

Command Executed and Output:

I ran the following command to check my workflow file:

% actionlint

And received the following warning:

.github/workflows/xxx.yml:5:5: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details [expression]

Why this is not an issue:

  • The if statement in GitHub Actions workflows is evaluated by GitHub’s internal engine, not as part of a shell script. Therefore, it does not pose a security risk.
  • Using ${{ github.head_ref }} inside an if condition does not expose the workflow to script injection vulnerabilities because it is not executed in a shell environment.

Suggestion:

It would be helpful if actionlint could differentiate between uses of ${{ github.head_ref }} in if conditions and actual inline scripts. This way, only genuine security risks are flagged, reducing false positives.

References:

  1. GitHub Actions: Using conditions to control job execution
    The documentation clarifies that expressions used in if conditions are evaluated by the GitHub Actions engine and do not directly execute in a shell.
    Using conditions to control job execution

  2. GitHub Actions: Security hardening for GitHub Actions
    This document provides best practices for security in GitHub Actions and explains that untrusted input should be avoided in shell scripts. However, it does not apply to expressions used in workflow conditions.
    Security Hardening for GitHub Actions

Example of current false positive:

jobs:
  example-job:
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'pull_request' && startsWith(github.head_ref, 'test/') }}
    steps:
      - name: Do something
        run: echo "This is safe"

In this example, using github.head_ref in the if statement should not trigger a security warning.

Thank you for considering this improvement.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rhysd @ryo-kozin and others