fix: Replace template injection with secure context.payload access

Zohayb Bhatti · Zohayb Bhatti · commit 15c6b8be79e6 · 2025-11-05T23:18:23.000-06:00
- Replace github.event.workflow_run.head_sha template injection with context.payload.workflow_run?.head_sha
- Add SHA format validation (40 hex characters) before use
- Fixes Kusari security scanner template injection vulnerabilities
- Addresses issues in build-binaries.yml, docker-push.yml, and security-scan.yml
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -44,11 +44,16 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
+            const headSha = context.payload.workflow_run?.head_sha;
+            if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+              core.setFailed('Invalid head SHA');
+              return;
+            }
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 workflow_id: 'lint.yaml',
-                head_sha: '${{ github.event.workflow_run.head_sha }}',
+                head_sha: headSha,
                 per_page: 1
             });
             if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {
diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml
@@ -30,11 +30,16 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
+            const headSha = context.payload.workflow_run?.head_sha;
+            if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+              core.setFailed('Invalid head SHA');
+              return;
+            }
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
               owner: context.repo.owner,
               repo: context.repo.repo,
               workflow_id: 'lint.yaml',
-              head_sha: '${{ github.event.workflow_run.head_sha }}',
+              head_sha: headSha,
               per_page: 1
             });
             if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -24,11 +24,16 @@ jobs:
               uses: actions/github-script@v7
               with:
                   script: |
+                      const headSha = context.payload.workflow_run?.head_sha;
+                      if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+                        core.setFailed('Invalid head SHA');
+                        return;
+                      }
                       const { data: runs } = await github.rest.actions.listWorkflowRuns({
                           owner: context.repo.owner,
                           repo: context.repo.repo,
                           workflow_id: 'lint.yaml',
-                          head_sha: '${{ github.event.workflow_run.head_sha }}',
+                          head_sha: headSha,
                           per_page: 1
                       });
                       if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {
