fix(security): sanitize file paths in log messages to prevent GitHub Actions workflow command injection#2925
Conversation
…Actions workflow command injection Several log sites echo file paths derived from filesystem walk of the scanned repository without applying output.SanitizeForWorkflowCommand. On Linux file names may contain \r/\n bytes and git tracks such files, so an attacker-controlled repository (typically via pull_request-triggered osv-scanner-action) could inject ::add-mask::, ::stop-commands::, ::error::, etc. into the runner's stdout. pkg/osvscanner/scan.go:158 already applies the correct guard for the directory-name log line and its source comment explains the threat model. This change extends the same guard to the remaining unsanitized sites: - internal/config/manager.go:57,61 (config LoadPath / configPath) - internal/config/config.go:164 (LoadPath on duplicate-ignores warning) - pkg/osvscanner/osvscanner.go:401 (configFile on unused-ignores warning) - internal/sourceanalysis/rust.go:55,62,73 (rust binary path in analysis errors) Refs: https://issuetracker.google.com/issues/533784193
|
While looking at this, I noticed the same threat model also reaches a set of package-identity log sinks that this PR doesn't cover — ones that read the package name / version / ecosystem from lockfile or SBOM contents rather than from a file path. There's no global guard (the
A package name can legally contain |
Problem
Several log sites in osv-scanner echo file paths derived from filesystem walk of the scanned repository without applying
output.SanitizeForWorkflowCommand. On Linux, file names may contain\r/\nbytes and git tracks such files, so an attacker-controlled repository (typically viapull_request-triggeredgoogle/osv-scanner-action) could inject::add-mask::,::stop-commands::,::error::, etc. into the runner's stdout.Prior art in the same repository
pkg/osvscanner/scan.go:158already applies the correct guard for the directory-name log line, and its source comment explains the exact threat model:Fix
Extend the same guard to the remaining unsanitized sites:
internal/config/manager.go:57,61— config LoadPath / configPath (derived from lockfile path viaManager.Get(loc)→normalizeConfigLoadPath)internal/config/config.go:164—LoadPathon duplicate-ignores warningpkg/osvscanner/osvscanner.go:401—configFileon unused-ignores warninginternal/sourceanalysis/rust.go:55,62,73— Rust binary path in analysis errorsRelated VRP report
https://issuetracker.google.com/issues/533784193
No behaviour change for benign paths
SanitizeForWorkflowCommandis an identity function on strings that contain no\ror\n, so no CI or user-visible output changes for typical file paths.