What Changed
Fixed code injection risks in GitHub workflow files by replacing direct GitHub context interpolation with environment variable assignments that are properly scoped and safer from injection attacks.
Security Impact
The previous pattern allowed potential command injection when untrusted user input was directly interpolated into shell commands. This created a security risk where malicious actors could potentially execute arbitrary commands in the CI environment.
Before (vulnerable): Direct interpolation of GitHub context into PowerShell variables After (secure): Environment variable assignment with proper scoping
Files Affected
- .github/workflows/allowedWorkflowRun.yaml: Updated user validation logic
- .github/workflows/checkSkipPackagingInfo.yaml: Secured packaging workflow variables
- Removed legacy validation tools directory (Tools/validate-detections/)
The fix ensures that untrusted GitHub context data is properly isolated through environment variable scoping rather than direct string interpolation.
Affected Files
.github/workflows/allowedWorkflowRun.yaml
.github/workflows/checkSkipPackagingInfo.yaml
Tools/validate-detections/LICENSE
Tools/validate-detections/README.md
Tools/validate-detections/action.ps1
Tools/validate-detections/action.yml
Tools/validate-detections/analytics.tests.ps1
Tools/validate-detections/mitre.csv
Tools/validate-detections/yaml-analytics.tests.ps1