info[template-injection]: code injection via template expansion
--> /Users/ned/coverage/trunk/.github/workflows/coverage.yml:206:9
|
206 | - name: "Compute info for later steps"
| ------------------------------------ info: this step
207 | id: info
208 | run: |
| _________-
209 | | export SHA10=$(echo ${{ github.sha }} | cut -c 1-10)
... |
217 | | echo "url=https://htmlpreview.github.io/?https://github.com/nedbat/coverage-reports/blob/main/reports/$SLUG/htmlcov/index...
218 | | echo "branch=${REF#refs/heads/}" >> $GITHUB_ENV
| |_________________________________________________________- info: github.sha may expand into attacker-controllable code
|
Can ${{ github.sha }} be attacker-controlled? Isn't it controlled by GitHub, and is only the SHA of the commit? Am I overlooking a particularly sneaky approach? Or does zizmor warn about any value being interpolated into shell commands, regardless of their origin?
I got this message:
Can
${{ github.sha }}
be attacker-controlled? Isn't it controlled by GitHub, and is only the SHA of the commit? Am I overlooking a particularly sneaky approach? Or does zizmor warn about any value being interpolated into shell commands, regardless of their origin?