You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
edited: not "will", may depending on your GHA
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.
edited: not "will", may depending on your GHA
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...
Yes that's it.
https://github.com/orgs/community/discussions/27065
https://stackoverflow.com/questions/77090044/github-actions-...
https://www.praetorian.com/blog/pwn-request-hacking-microsof...
All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).
Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%
Yeah, zizmor checks for template injection.
Nice