optimizely / swift-sdk

Swift SDK for Optimizely Feature Experimentation and Optimizely Full Stack (legacy)
https://www.optimizely.com/products/full-stack/
Apache License 2.0
21 stars 30 forks source link

fix: github workflow vulnerable to script injection #554

Closed diogoteles08 closed 2 months ago

diogoteles08 commented 3 months ago

Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.

In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.

You can find more information about this on this github documentation or in this gitguardian blogpost.

Cheers!

jaeopt commented 3 months ago

@diogoteles08 Thanks for your contribution! We'll take a look. If not done already, please sign the CLA - https://github.com/optimizely/swift-sdk/blob/master/CONTRIBUTING.md

mikechu-optimizely commented 2 months ago

This is going into our next sprint under ticket FSSDK-10665

muzahidul-opti commented 2 months ago

@diogoteles08 this issue has been fixed with the PR