Skip to content

[security-fix] Security Fix: Prevent injection in secret redaction YAML generation #1517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Oct 11, 2025
Merged

[security-fix] Security Fix: Prevent injection in secret redaction YAML generation #1517

pelikhan merged 2 commits into from
Oct 11, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 11, 2025

Security Fix: Prevent Injection in Secret Redaction YAML Generation

Alert Number: #10
Severity: Critical
Rule: go/unsafe-quoting
File: pkg/workflow/redact_secrets.go:70

Vulnerability Description

CodeQL identified a critical security vulnerability where JSON values containing single quotes could break out of enclosing quotes when embedded in YAML strings. This potentially unsafe quoting pattern could lead to:

  • Command Injection (CWE-78)
  • SQL Injection (CWE-89)
  • Code Injection (CWE-94)

The vulnerability occurred in the generateSecretRedactionStep function where secret references were embedded directly into YAML strings without proper escaping:

// BEFORE (vulnerable)
yaml.WriteString(fmt.Sprintf("          GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(secretReferences, ",")))
yaml.WriteString(fmt.Sprintf("          SECRET_%s: ${{ secrets.%s }}\n", secretName, secretName))

If a secret name contained a single quote (e.g., SECRET'NAME), it would break out of the enclosing quotes and could potentially inject malicious YAML content.

Fix Applied

Added a new escapeSingleQuote() helper function that properly sanitizes data before embedding it in single-quoted YAML strings:

func escapeSingleQuote(s string) string {
    // First escape backslashes, then escape single quotes
    s = strings.ReplaceAll(s, `\`, `\\`)
    s = strings.ReplaceAll(s, `'`, `\'`)
    return s
}

Applied this escaping to all secret references before embedding them in the YAML:

// AFTER (secure)
escapedRefs := make([]string, len(secretReferences))
for i, ref := range secretReferences {
    escapedRefs[i] = escapeSingleQuote(ref)
}
yaml.WriteString(fmt.Sprintf("          GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(escapedRefs, ",")))

escapedSecretName := escapeSingleQuote(secretName)
yaml.WriteString(fmt.Sprintf("          SECRET_%s: ${{ secrets.%s }}\n", escapedSecretName, escapedSecretName))

Security Best Practices

  1. Escape backslashes first: Prevents backslash escaping from interfering with quote escaping
  2. Escape single quotes: Prevents breaking out of single-quoted strings
  3. Minimal changes: Only added escaping where needed, maintaining code functionality
  4. Defense in depth: Protects against malicious or malformed secret names

Testing Considerations

  • Verify that workflows with normal secret names continue to work correctly
  • Test with secret names containing special characters (if possible in test environment)
  • Ensure the redaction step still properly masks secret values in logs
  • Validate that the generated YAML remains syntactically correct

References

🤖 Generated with Claude Code

AI generated by Security Fix PR

@github-actions @claude
Security: Fix unsafe quoting vulnerability in secret redaction
5fd9535 
This commit fixes CodeQL alert #10 (go/unsafe-quoting) in pkg/workflow/redact_secrets.go
by properly escaping single quotes and backslashes before embedding secret references
in YAML strings.

**Issue**: JSON values containing single quotes could break out of enclosing quotes,
potentially leading to command/SQL/code injection (CWE-78, CWE-89, CWE-94).

**Fix**: Added escapeSingleQuote() helper function that:
- Escapes backslashes first to prevent interference
- Escapes single quotes to prevent breaking out of quoted strings
- Applied escaping to all secret references before embedding in YAML

**Security Impact**: Prevents potential injection attacks when secret names contain
special characters that could manipulate the generated YAML structure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@pelikhan pelikhan marked this pull request as ready for review October 11, 2025 05:22
@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 11, 2025

Agentic Changeset Generator triggered by this pull request

@github-actions @claude
Add changeset for security fix in secret redaction
8406600 
Added changeset documenting the patch-level security fix that prevents
injection vulnerabilities in YAML generation for secret redaction.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@pelikhan pelikhan merged commit 41ea160 into main Oct 11, 2025
3 checks passed
@pelikhan pelikhan deleted the fix/unsafe-quoting-redact-secrets-8e0f6adec4a778e0 branch October 11, 2025 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-fix security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan