Learning More about Security of Github Actions Part 2
We covered the value of Github actions and various methods to make it more secure in my earlier blog post. There are further ways, nevertheless, that we can make it safer. We can go over them individually.
Don’t reference directly values that we can not control
There are a few key areas in Github actions where values can be supplied from other sources; nevertheless, these might lead to injection attacks or accidental workflow manipulation if the user isn’t cautious.
Consider the following scenario: we are using GitHub as an input source in one of our activities, as demonstrated below.
- name: Run a command by taking inputs from user
run: echo “Hello, ${{ github.event.inputs.user }}”
Without enough sanitization, an attacker might introduce malicious code into this github.event.inputs.userName input. For example, the attacker can gain access to more privileges and execute instructions on a server that they do not have authorization to.
The user should always sanitize input before using it to reduce the risk of this vulnerability. In that case, we can clean inputs using either the in-built routines or our own scripts. You should always use “env” when dealing with…