Skip to content

fix: remove unsafe exec() in action.go#6082

Open
orbisai0security wants to merge 1 commit into
nektos:masterfrom
orbisai0security:fix-v001-env-injection-sanitize-input-newlines
Open

fix: remove unsafe exec() in action.go#6082
orbisai0security wants to merge 1 commit into
nektos:masterfrom
orbisai0security:fix-v001-env-injection-sanitize-input-newlines

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 29, 2026

Summary

Fix critical severity security issue in pkg/runner/action.go.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File pkg/runner/action.go:451

Description: The populateEnvsFromInput() function reads action input values and writes them directly into the step environment map without sanitizing newline characters (\n, \r) or null bytes. When the environment map is serialized to the GitHub Actions environment file protocol format (envs.txt), unsanitized newlines allow an attacker to inject additional key=value pairs. Downstream shell steps that expand these injected variables without quoting will execute attacker-controlled commands within the CI/CD pipeline.

Changes

  • pkg/runner/action.go

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
0468c1f 
Automated security fix generated by Orbis Security AI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security