update the qhelp to mention that the GITHUB_TOKEN only sometimes has write-access

2026-04-29 18:55:14 +02:00 · 2022-05-05 12:12:29 +02:00
parent c0152a46bc
commit 0c0e280637
1 changed files with 7 additions and 19 deletions
--- a/javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
@@ -2,59 +2,47 @@
 "-//Semmle//qhelp//EN"
 "qhelp.dtd">
 <qhelp>
-
 	<overview>
-
 		<p>
-
 			Using user-controlled input in GitHub Actions may lead to
 			code injection in contexts like <i>run:</i> or <i>script:</i>.
-
 		</p>
-
        <p>
            Code injection in GitHub actions may allow an attacker to 
            exfiltrate the temporary GitHub repository authorization token. 
-            The token has write access to the repository, and thus an attacker
-            can use it to modify the repository.
+            The token might have write access to the repository, and thus an attacker
+            might be able to use it to modify the repository.
        </p>
-
 	</overview>

 	<recommendation>
-
 		<p>
 			The best practice to avoid code injection vulnerabilities
 			in GitHub workflows is to set the untrusted input value of the expression
 			to an intermediate environment variable.
 		</p>
-
+        <p>
+            It is also recommended to limit the permissions of any tokens used 
+            by a workflow such as the the GITHUB_TOKEN. 
+        </p>
 	</recommendation>

 	<example>
-
 		<p>
-
 			The following example lets a user inject an arbitrary shell command:
-
 		</p>
-
 		<sample src="examples/comment_issue_bad.yml" />

 		<p>
-
 			The following example uses shell syntax to read
 			the environment variable and will prevent the attack:
-
 		</p>
-
 		<sample src="examples/comment_issue_good.yml" />
-
 	</example>

 	<references>
 		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
        <li>GitHub Docs: <a href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a>.</li>
+        <li>GitHub Docs: <a href="https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token">Permissions for the GITHUB_TOKEN</a>.</li>
 	</references>
-
 </qhelp>