fix: prevent script injection in GitHub Actions workflows (#1583)

yogeshchoudhary147 · web-flow · commit a78d1e2468c6 · 2026-04-10T08:59:31.000+05:30
## Summary

- Move `inputs.*` template expressions out of `run:` scripts and into
`env:` blocks across two workflow files
- Replace `$(pwd)` with `${{ github.workspace }}` in `rl-secure.yml` to
maintain correct path resolution after the env var refactor

## Files changed

- `.github/actions/rl-scanner/action.yml` — `inputs.artifact-path` and
`inputs.version`
- `.github/workflows/rl-secure.yml` — `inputs.artifact-name` and
artifact path construction

## Security impact

Interpolating `${{ inputs.* }}` directly into `run:` scripts allows
shell metacharacters in user-controlled input to break out of the
intended command context. Routing through `env:` variables ensures
values are treated as data, not inline script.

&gt; **Note:** `.github/actions/framework/action.yml` was excluded because
its inputs contain shell operators (`&gt;`, `|`, `&amp;&amp;`) that require inline
expansion, and they are not user-controlled.
diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml
@@ -40,16 +40,18 @@ runs:
         RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
         SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
         PYTHONUNBUFFERED: 1
+        ARTIFACT_PATH: ${{ inputs.artifact-path }}
+        VERSION: ${{ inputs.version }}
       run: |
-        if [ ! -f "${{ inputs.artifact-path }}" ]; then
-          echo "Artifact not found: ${{ inputs.artifact-path }}"
+        if [ ! -f "$ARTIFACT_PATH" ]; then
+          echo "Artifact not found: $ARTIFACT_PATH"
           exit 1
         fi
 
         rl-wrapper \
-          --artifact "${{ inputs.artifact-path }}" \
+          --artifact "$ARTIFACT_PATH" \
           --name "${{ github.event.repository.name }}" \
-          --version "${{ inputs.version }}" \
+          --version "$VERSION" \
           --repository "${{ github.repository }}" \
           --commit "${{ github.sha }}" \
           --build-env "github_actions" \
diff --git a/.github/workflows/rl-secure.yml b/.github/workflows/rl-secure.yml
@@ -43,8 +43,10 @@ jobs:
           node: ${{ inputs.node-version }}
 
       - name: Create tgz build artifact
+        env:
+          ARTIFACT_NAME: ${{ inputs.artifact-name }}
         run: |
-          tar -czvf ${{ inputs.artifact-name }} *
+          tar -czvf "$ARTIFACT_NAME" *
 
       - id: get_version
         uses: ./.github/actions/get-version
@@ -53,7 +55,7 @@ jobs:
         id: rl-scan-conclusion
         uses: ./.github/actions/rl-scanner
         with:
-          artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
+          artifact-path: "${{ github.workspace }}/${{ inputs.artifact-name }}"
           version: "${{ steps.get_version.outputs.version }}"
         env:
           RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
