Insecure Workflow Commands
Description
GitHub Actions once let steps set environment variables and modify PATH by printing ::set-env and ::add-path stdout commands. Because any process output could set variables, this was a code-execution sink and GitHub disabled it — unless the workflow opts back in with ACTIONS_ALLOW_UNSECURE_COMMANDS: true. 1 Re-enabling these commands (or using them directly) lets attacker-influenced output define variables like LD_PRELOAD/NODE_OPTIONS or prepend a directory to PATH, exactly like the modern GitHub Environment File Injection sink.
Vulnerable Instance
- A workflow, job, or step sets
ACTIONS_ALLOW_UNSECURE_COMMANDS: true. - Or a step still emits
::set-env/::add-pathstdout commands.
jobs:
build:
runs-on: ubuntu-latest
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true # re-enables the injectable commands
steps:
- run: echo "::set-env name=PATH::/tmp/evil:$PATH"Mitigation Strategies
- Remove
ACTIONS_ALLOW_UNSECURE_COMMANDS. There is no safe reason to re-enable the deprecated commands. - Use the environment files. Migrate to
$GITHUB_ENVand$GITHUB_PATH, and validate any user-controllable value before writing it (see GitHub Environment File Injection). - Update old actions. If a dependency requires the flag, upgrade it to a version that uses the environment files.
Secure Version
jobs:
build:
runs-on: ubuntu-latest
- env:
- ACTIONS_ALLOW_UNSECURE_COMMANDS: true
steps:
- - run: echo "::set-env name=FOO::bar"
+ - run: echo "FOO=bar" >> "$GITHUB_ENV"
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood | Uncommon in modern workflows, but persists in older ones and some third-party actions. | |
| Risk | Re-enables an injection sink that can execute code in later steps. | |
| Blast radius | Code runs with the job’s secrets and token access. |
References
- GitHub Blog, “Deprecating set-env and add-path commands,” https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ 1
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions 2
GitHub Blog, “Deprecating set-env and add-path commands,” https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ ↩︎ ↩︎
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ↩︎