[PR #5274] [CLOSED] fix: using variable interpolation `${{ in build-and-push-image.yml (y... #5223

New issue

Closed

opened 2026-05-05 14:56:59 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:56:59 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5274
Author: @orbisai0security
Created: 4/1/2026
Status: ❌ Closed

Base: dev ← Head: fix-fix-shell-injection-build-and-push-image

📝 Commits (1)

0418fea fix: using variable interpolation `${{ in build-and-push-image.yml

📊 Changes

1 file changed (+4 additions, -2 deletions)

View changed files

📝 .github/workflows/build-and-push-image.yml (+4 -2)

📄 Description

Summary

Fix high severity security issue in .github/workflows/build-and-push-image.yml.

Vulnerability

Field	Value
ID	yaml.github-actions.security.run-shell-injection.run-shell-injection
Severity	HIGH
Scanner	semgrep
Rule	`yaml.github-actions.security.run-shell-injection.run-shell-injection`
File	`.github/workflows/build-and-push-image.yml:34`

Description: Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Changes

.github/workflows/build-and-push-image.yml

Verification

Build passes
Scanner re-scan confirms fix
Code review passed

Automated security fix by OrbisAI Security

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5274 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 4/1/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix-fix-shell-injection-build-and-push-image` --- ### 📝 Commits (1) - [`0418fea`](https://github.com/fatedier/frp/commit/0418feada50af419633952c0e71d052a320ea922) fix: using variable interpolation `${{ in build-and-push-image.yml ### 📊 Changes **1 file changed** (+4 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/build-and-push-image.yml` (+4 -2) </details> ### 📄 Description ## Summary Fix high severity security issue in `.github/workflows/build-and-push-image.yml`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | yaml.github-actions.security.run-shell-injection.run-shell-injection | | **Severity** | HIGH | | **Scanner** | semgrep | | **Rule** | `yaml.github-actions.security.run-shell-injection.run-shell-injection` | | **File** | `.github/workflows/build-and-push-image.yml:34` | **Description**: Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". ## Changes - `.github/workflows/build-and-push-image.yml` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] Code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>