Class: Rules::WorkflowDispatchInjection

Inherits:

Base

• Object
• Base
• Rules::WorkflowDispatchInjection

Defined in:

lib/rules/workflow_dispatch_injection.rb

Constant Summary

PATTERN =

/\$\{\{\s*(?:inputs\.|github\.event\.inputs\.)/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/workflow_dispatch_injection.rb', line 9

def check(workflow)
    findings = []

    workflow.lines_of(PATTERN).each do |line_num|
        line = workflow.line_content(line_num)
        next unless in_run_block?(workflow, line_num)

        match = line.match(/\$\{\{\s*((?:inputs|github\.event\.inputs)\.[^\s}]+)/)
        next unless match

        findings << finding(workflow,
            line: line_num,
            code: line.strip,
            message: "User-controlled input ${{ #{match[1]} }} in run: block — shell injection risk",
            fix: "Move to env: block and reference as $ENV_VAR"
        )
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/workflow_dispatch_injection.rb', line 4

def description = "User-controlled workflow_dispatch input in run: block"

#name ⇒ Object

# File 'lib/rules/workflow_dispatch_injection.rb', line 3

def name = "workflow-dispatch-injection"

#severity ⇒ Object

# File 'lib/rules/workflow_dispatch_injection.rb', line 5

def severity = :high