--- title: Run block injection description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Run block injection --- # Run block injection {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cicd-github-run-block-injection` **Provider:** GitHub **Platform:** CICD **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://securitylab.github.com/research/github-actions-untrusted-input/) ### Description{% #description %} Run steps in GitHub Actions must not interpolate or execute GitHub event fields that can be controlled by external users, because untrusted event data such as PR/issue/discussion titles and bodies, comments, branch names, and commit metadata can contain shell metacharacters or crafted payloads that lead to command injection, arbitrary code execution on runners, or misuse of repository secrets. This risk is amplified for privileged triggers such as `pull_request_target` and some `workflow_run` scenarios. For the `pull_request` trigger, these vulnerable fields are much more significant when the change comes from a fork. Inspect the `run` property for direct references to GitHub context attributes such as `github.event.pull_request.*`, `github.event.issue.*`, `github.event.comment.*`, `github.event.discussion.*`, `github.event.workflow_run.*`, `github.head_ref`, and `github.*.authors.*`. Flag any step where the `run` string contains these patterns. To remediate, avoid shell-interpolating untrusted event data; instead, validate or sanitize inputs, use repository secrets or explicitly whitelisted values, or pass data through actions that perform strict parsing and validation before executing commands. This rule also flags `env.` usage within the `run` block. Secure example that avoids using untrusted event fields: ```yaml jobs: build: runs-on: ubuntu-latest steps: - name: Safe run run: echo "Build triggered for repository ${{ github.repository }}" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml name: check-go-coverage on: pull_request_target: branches: [master] jobs: coverage: name: Check Go coverage runs-on: ubuntu-latest steps: - name: Checkout Source uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go 1.22.x uses: actions/setup-go@v5 with: go-version: 1.22.x - name: Run test metrics script id: testcov run: | make test-coverage-report | tee test-results echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV - name: Checks if Go coverage is at least 80% if: env.coverage < 80 run: | echo "Go coverage is lower than 80%: ${{ coverage }}%" exit 1 ``` ```yaml name: Safe composite action description: A composite action that uses inputs through environment variables to avoid shell injection inputs: slack-message: description: The message to send required: true runs: using: composite steps: - name: Send message safely shell: bash env: SLACK_MESSAGE: ${{ inputs.slack-message }} run: | echo "$SLACK_MESSAGE" ``` ```yaml name: Safe composite action without inputs description: A composite action whose run block does not interpolate untrusted data runs: using: composite steps: - name: Show repository shell: bash run: | echo "Build triggered for ${{ github.repository }}" ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml name: Web Page To Markdown on: issues: types: [opened] jobs: WebPageToMarkdown: runs-on: ubuntu-latest steps: - name: Does the issue need to be converted to markdown run: | if [ "${{ github.event.issue.body }}" ]; then if [[ "${{ github.event.issue.title }}" =~ ^\[Auto\]* ]]; then : else echo "This issue does not need to generate a markdown file." 1>&2 exit 1; fi; else echo "The description of the issue is empty." 1>&2 exit 1; fi; shell: bash - name: Checkout uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - name: Crawl pages and generate Markdown files uses: freeCodeCamp-China/article-webpage-to-markdown-action@v0.1.8 with: newsLink: '${{ github.event.issue.body }}' markDownFilePath: './chinese/articles/' githubToken: ${{ github.token }} - name: Git Auto Commit uses: stefanzweifel/git-auto-commit-action@v4.9.2 with: commit_message: '${{ github.event.issue.title }}' file_pattern: chinese/articles/*.md commit_user_name: PageToMarkdown Bot commit_user_email: PageToMarkdown-bot@freeCodeCamp.org ``` ```yaml name: Array Trigger Format Test on: [pull_request, push] jobs: test_array_trigger: runs-on: ubuntu-latest steps: - name: Process PR with array format trigger run: | echo "PR Title: ${{ github.event.pull_request.title }}" echo "Branch: ${{ github.event.pull_request.head.ref }}" ``` ```yaml name: Pull Request Injection Test on: pull_request: branches: [main] jobs: process_pr: runs-on: ubuntu-latest steps: - name: Process PR Title run: | echo "PR Title: ${{ github.event.pull_request.title }}" - name: Process PR Body run: | echo "PR Body: ${{ github.event.pull_request.body }}" - name: Process Head Ref run: | echo "Head Ref: ${{ github.head_ref }}" - name: Process PR Head Label run: | echo "PR Label: ${{ github.event.pull_request.head.label }}" ```