Security issues on generated build workflows

[ryohkhn]

Hello,

I'm working on a Pulumi provider based on the pulumi-tf-provider-boilerplate, which uses ci-mgmt to synchronize and generate the build system.

Semgrep is detecting multiple high-severity security issues in the generated GitHub Actions workflows. Since these files are generated by ci-mgmt, I don't have a straightforward way to fix them without modifying the generated files.

Environment:

• ci-mgmt version: latest
• Repository: https://github.com/outscale/pulumi-outscale

Issue Details:

All findings are related to run-shell-injection - using ${{...}} interpolation with potentially untrusted input in shell commands. Semgrep recommends using environment variables instead.

Semgrep Output:

    .github/actions/download-sdk/action.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           19┆ run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{
               github.workspace }}/sdk/${{ inputs.language }}

    .github/actions/upload-sdk/action.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           14┆ run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .

    .github/workflows/prerequisites.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           97┆ run: |
           98┆   EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
           99┆   {
          100┆     echo "SCHEMA_CHANGES<<$EOF";
          101┆     schema-tools compare -r github://api.github.com/outscale -p outscale -o "${{
               inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-
               outscale/schema.json;
          102┆     echo "$EOF";
          103┆   } >> "$GITHUB_ENV"

    .github/workflows/publish.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           88┆ run: shasum ./*.tar.gz > "pulumi-outscale_${{ inputs.version }}_checksums.txt"

    .github/workflows/upgrade-provider.yml
   ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection
          Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
          attacker to inject their own code into the runner. This would allow them to steal secrets and code.
          `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
          an intermediate environment variable with `env:` to store the data and use the environment variable
          in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
          Details: https://sg.run/pkzk

           64┆ run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion ||
               'main' }}
            ⋮┆----------------------------------------
           84┆ run: echo "version=${{ github.event.inputs.version ||
               steps.upstream_version.outputs.latest_version }}" >> "$GITHUB_OUTPUT"

[guineveresaenger]

Hi @ryohkhn - thank you for this issue. We'll take a look when we can.