From 5fd9535f390c73e97058e37971b305a2a9191fa0 Mon Sep 17 00:00:00 2001 From: Security Fix PR Date: Sat, 11 Oct 2025 05:17:05 +0000 Subject: [PATCH 1/2] Security: Fix unsafe quoting vulnerability in secret redaction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit fixes CodeQL alert #10 (go/unsafe-quoting) in pkg/workflow/redact_secrets.go by properly escaping single quotes and backslashes before embedding secret references in YAML strings. **Issue**: JSON values containing single quotes could break out of enclosing quotes, potentially leading to command/SQL/code injection (CWE-78, CWE-89, CWE-94). **Fix**: Added escapeSingleQuote() helper function that: - Escapes backslashes first to prevent interference - Escapes single quotes to prevent breaking out of quoted strings - Applied escaping to all secret references before embedding in YAML **Security Impact**: Prevents potential injection attacks when secret names contain special characters that could manipulate the generated YAML structure. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- pkg/workflow/redact_secrets.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go index 41731f6cd2a..10e401fbd43 100644 --- a/pkg/workflow/redact_secrets.go +++ b/pkg/workflow/redact_secrets.go @@ -6,6 +6,15 @@ import ( "strings" ) +// escapeSingleQuote escapes single quotes and backslashes in a string to prevent injection +// when embedding data in single-quoted YAML strings +func escapeSingleQuote(s string) string { + // First escape backslashes, then escape single quotes + s = strings.ReplaceAll(s, `\`, `\\`) + s = strings.ReplaceAll(s, `'`, `\'`) + return s +} + // CollectSecretReferences extracts all secret references from the workflow YAML // This scans for patterns like ${{ secrets.SECRET_NAME }} or secrets.SECRET_NAME func CollectSecretReferences(yamlContent string) []string { @@ -67,12 +76,19 @@ func (c *Compiler) generateSecretRedactionStep(yaml *strings.Builder, yamlConten yaml.WriteString(" env:\n") // Pass the list of secret names as a comma-separated string - yaml.WriteString(fmt.Sprintf(" GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(secretReferences, ","))) + // Escape each secret reference to prevent injection when embedding in YAML + escapedRefs := make([]string, len(secretReferences)) + for i, ref := range secretReferences { + escapedRefs[i] = escapeSingleQuote(ref) + } + yaml.WriteString(fmt.Sprintf(" GITHUB_AW_SECRET_NAMES: '%s'\n", strings.Join(escapedRefs, ","))) // Pass the actual secret values as environment variables so they can be redacted // Each secret will be available as an environment variable for _, secretName := range secretReferences { - yaml.WriteString(fmt.Sprintf(" SECRET_%s: ${{ secrets.%s }}\n", secretName, secretName)) + // Escape secret name to prevent injection in YAML + escapedSecretName := escapeSingleQuote(secretName) + yaml.WriteString(fmt.Sprintf(" SECRET_%s: ${{ secrets.%s }}\n", escapedSecretName, escapedSecretName)) } } From 840660013a9cbb2f8e07427aa3e29530c21e5ee2 Mon Sep 17 00:00:00 2001 From: Changeset Generator Date: Sat, 11 Oct 2025 05:23:42 +0000 Subject: [PATCH 2/2] Add changeset for security fix in secret redaction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added changeset documenting the patch-level security fix that prevents injection vulnerabilities in YAML generation for secret redaction. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .changeset/patch-fix-unsafe-quoting-secret-redaction.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .changeset/patch-fix-unsafe-quoting-secret-redaction.md diff --git a/.changeset/patch-fix-unsafe-quoting-secret-redaction.md b/.changeset/patch-fix-unsafe-quoting-secret-redaction.md new file mode 100644 index 00000000000..050e3d4f757 --- /dev/null +++ b/.changeset/patch-fix-unsafe-quoting-secret-redaction.md @@ -0,0 +1,7 @@ +--- +"gh-aw": patch +--- + +Security fix: Prevent injection vulnerability in secret redaction YAML generation + +Fixed a critical security vulnerability (CodeQL go/unsafe-quoting) where secret names containing single quotes could break out of enclosing quotes in generated YAML strings, potentially leading to command injection, SQL injection, or code injection attacks. Added proper escaping via a new `escapeSingleQuote()` helper function that sanitizes secret references before embedding them in YAML.