Summary:
Multiple GitHub Actions workflows are using user-controlled data directly as parameters, which is a critical security risk (SonarQube rule: githubactions:S8263). This can lead to command injection or other vulnerabilities.
Affected Workflows and Lines:
.github/workflows/add-hotfix-metadata.yml (line 25, parameter: ref).github/workflows/draft-new-release.yml (lines 41: major-version, 42: minor-version, 43: patch-version, 49: tag).github/workflows/gitstream.yml (lines 44: full_repository, 45: head_ref, 46: base_ref, 47: client_payload, 48: installation_id, 49: resolver_url, 50: resolver_token)
Remediation Required:
- Refactor each workflow to avoid passing user-controlled data directly as action parameters.
- Use environment variables or validated, sanitized inputs instead.
- Review all usages of
${{ github.event.inputs.* }} or similar patterns and ensure they are not directly interpolated into parameters or run blocks.
References:
- SonarQube rule: githubactions:S8263
- Severity: BLOCKER
Summary:
Multiple GitHub Actions workflows are using user-controlled data directly as parameters, which is a critical security risk (SonarQube rule: githubactions:S8263). This can lead to command injection or other vulnerabilities.
Affected Workflows and Lines:
.github/workflows/add-hotfix-metadata.yml(line 25, parameter:ref).github/workflows/draft-new-release.yml(lines 41:major-version, 42:minor-version, 43:patch-version, 49:tag).github/workflows/gitstream.yml(lines 44:full_repository, 45:head_ref, 46:base_ref, 47:client_payload, 48:installation_id, 49:resolver_url, 50:resolver_token)Remediation Required:
${{ github.event.inputs.* }}or similar patterns and ensure they are not directly interpolated into parameters or run blocks.References: