Skip to content

[security-fix] Security Fix: Prevent injection in secret redaction YAML generation#1517

Merged
pelikhan merged 2 commits intomainfrom
fix/unsafe-quoting-redact-secrets-8e0f6adec4a778e0
Oct 11, 2025
Merged

[security-fix] Security Fix: Prevent injection in secret redaction YAML generation#1517
pelikhan merged 2 commits intomainfrom
fix/unsafe-quoting-redact-secrets-8e0f6adec4a778e0

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 11, 2025

Security Fix: Prevent Injection in Secret Redaction YAML Generation

Alert Number: #10
Severity: Critical
Rule: go/unsafe-quoting
File: pkg/workflow/redact_secrets.go:70

Vulnerability Description

CodeQL identified a critical security vulnerability where JSON values containing single quotes could break out of enclosing quotes when embedded in YAML strings. This potentially unsafe quoting pattern could lead to:

  • Command Injection (CWE-78)
  • SQL Injection (CWE-89)
  • Code Injection (CWE-94)

The vulnerability occurred in the generateSecretRedactionStep function where secret references were embedded directly into YAML strings without proper escaping:

// BEFORE (vulnerable)
yaml.WriteString(fmt.Sprintf("          GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(secretReferences, ",")))
yaml.WriteString(fmt.Sprintf("          SECRET_%s: ${{ secrets.%s }}\n", secretName, secretName))

If a secret name contained a single quote (e.g., SECRET'NAME), it would break out of the enclosing quotes and could potentially inject malicious YAML content.

Fix Applied

Added a new escapeSingleQuote() helper function that properly sanitizes data before embedding it in single-quoted YAML strings:

func escapeSingleQuote(s string) string {
    // First escape backslashes, then escape single quotes
    s = strings.ReplaceAll(s, `\`, `\\`)
    s = strings.ReplaceAll(s, `'`, `\'`)
    return s
}

Applied this escaping to all secret references before embedding them in the YAML:

// AFTER (secure)
escapedRefs := make([]string, len(secretReferences))
for i, ref := range secretReferences {
    escapedRefs[i] = escapeSingleQuote(ref)
}
yaml.WriteString(fmt.Sprintf("          GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(escapedRefs, ",")))

escapedSecretName := escapeSingleQuote(secretName)
yaml.WriteString(fmt.Sprintf("          SECRET_%s: ${{ secrets.%s }}\n", escapedSecretName, escapedSecretName))

Security Best Practices

  1. Escape backslashes first: Prevents backslash escaping from interfering with quote escaping
  2. Escape single quotes: Prevents breaking out of single-quoted strings
  3. Minimal changes: Only added escaping where needed, maintaining code functionality
  4. Defense in depth: Protects against malicious or malformed secret names

Testing Considerations

  • Verify that workflows with normal secret names continue to work correctly
  • Test with secret names containing special characters (if possible in test environment)
  • Ensure the redaction step still properly masks secret values in logs
  • Validate that the generated YAML remains syntactically correct

References

🤖 Generated with Claude Code

AI generated by Security Fix PR

@github-actions @claude
Security: Fix unsafe quoting vulnerability in secret redaction
5fd9535 
This commit fixes CodeQL alert #10 (go/unsafe-quoting) in pkg/workflow/redact_secrets.go
by properly escaping single quotes and backslashes before embedding secret references
in YAML strings.

**Issue**: JSON values containing single quotes could break out of enclosing quotes,
potentially leading to command/SQL/code injection (CWE-78, CWE-89, CWE-94).

**Fix**: Added escapeSingleQuote() helper function that:
- Escapes backslashes first to prevent interference
- Escapes single quotes to prevent breaking out of quoted strings
- Applied escaping to all secret references before embedding in YAML

**Security Impact**: Prevents potential injection attacks when secret names contain
special characters that could manipulate the generated YAML structure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@pelikhan pelikhan marked this pull request as ready for review October 11, 2025 05:22
@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 11, 2025

Agentic Changeset Generator triggered by this pull request

@github-actions @claude
Add changeset for security fix in secret redaction
8406600 
Added changeset documenting the patch-level security fix that prevents
injection vulnerabilities in YAML generation for secret redaction.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@pelikhan pelikhan merged commit 41ea160 into main Oct 11, 2025
3 checks passed
@pelikhan pelikhan deleted the fix/unsafe-quoting-redact-secrets-8e0f6adec4a778e0 branch October 11, 2025 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-fix security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan