expand the qhelp for js/actions/injection

2026-04-28 10:15:14 +02:00 · 2022-05-03 13:25:12 +02:00
parent 48fb01f9f7
commit df4bfef8c7
1 changed files with 8 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp
@@ -12,16 +12,21 @@

 		</p>

+        <p>
+            Code injection in GitHub actions may allow an attacker to 
+            exfiltrate the temporary GitHub repository authorization token. 
+            The token has write access to the repository, and thus an attacker
+            can use it to modify the repository.
+        </p>
+
 	</overview>

 	<recommendation>

 		<p>
-
 			The best practice to avoid code injection vulnerabilities
 			in GitHub workflows is to set the untrusted input value of the expression
 			to an intermediate environment variable.
-
 		</p>

 	</recommendation>
@@ -49,6 +54,7 @@

 	<references>
 		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
+        <li>GitHub Docs: <a href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions">Security hardening for GitHub Actions</a>.</li>
 	</references>

 </qhelp>