PATH environment variable built from user-controlled sources — CodeQL query help documentation CodeQL docs

CodeQL resources

PATH environment variable built from user-controlled sources¶

ID: actions/envpath-injection/critical
Kind: path-problem
Security severity: 9
Severity: error
Precision: very-high
Tags:
   - actions
   - security
   - external/cwe/cwe-077
   - external/cwe/cwe-020
Query suites:
   - actions-code-scanning.qls
   - actions-security-extended.qls
   - actions-security-and-quality.qls

Click to see the query in the CodeQL repository

Overview¶

GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the GITHUB_PATH environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.

E.g.:

echo "$HOME/.local/bin" >> $GITHUB_PATH

If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.

Recommendation¶

Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.

Example¶

Incorrect Usage¶

Consider the following basic setup where an environment variable PATH is set:

steps:
  - name: Set the path
    env:
      BODY: ${{ github.event.comment.body }}
    run: |
      PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+')
      echo "$PATH" >> "$GITHUB_PATH"

If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps.

References¶

GitHub Docs: Workflow commands for GitHub Actions.

© GitHub, Inc.
Terms
Privacy