feat: github.ref_name is always an injection risk (#67)

woodruffw · Oct 28, 2024 · 704fcdd · 704fcdd
1 parent 32a28f7
commit 704fcdd
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/audit/template_injection.rs b/src/audit/template_injection.rs
@@ -121,7 +121,7 @@ impl TemplateInjection {
                 } else if context.starts_with("env.") {
                     // Almost never exploitable.
                     bad_expressions.push((context.into(), Severity::Low, Confidence::High));
-                } else if context.starts_with("github.event.") {
+                } else if context.starts_with("github.event.") || context == "github.ref_name" {
                     // TODO: Filter these more finely; not everything in the event
                     // context is actually attacker-controllable.
                     bad_expressions.push((context.into(), Severity::High, Confidence::High));