Skip to content

fix: detect committer name/email as untrusted input in Dangerous Workflow check#4968

Open
alexchenai wants to merge 1 commit intoossf:mainfrom
alexchenai:fix/detect-committer-untrusted-input
Open

fix: detect committer name/email as untrusted input in Dangerous Workflow check#4968
alexchenai wants to merge 1 commit intoossf:mainfrom
alexchenai:fix/detect-committer-untrusted-input

Conversation

@alexchenai
Copy link
Copy Markdown

@alexchenai alexchenai commented Mar 19, 2026

Summary

  • Adds missing committer.name and committer.email patterns to the containsUntrustedContextPattern function for both head_commit and commits[*] contexts
  • The existing check detects author.name/author.email but misses the equivalent committer fields, which are independently controllable by attackers and equally dangerous for script injection
  • Includes 4 new unit test cases covering all added patterns

Fixes #3915 (partially -- addresses the committer gap identified by @pnacht in the issue comments)

Context

As noted by @pnacht in #3915 (comment), git committer identity is a separate field from author identity. An attacker can set arbitrary committer name/email values (e.g., via GIT_COMMITTER_NAME/GIT_COMMITTER_EMAIL), making these variables unsafe to use in inline shell scripts without sanitization.

Test plan

  • Added unit tests for head_commit.committer.name, head_commit.committer.email, commits[*].committer.name, commits[*].committer.email
  • Existing tests continue to pass

🤖 Generated with Claude Code

@alexchenai @claude
fix: detect committer name/email as untrusted input in Dangerous Work…
54c1a7c 
…flow check

The containsUntrustedContextPattern function detects author name/email
for head_commit and commits[*], but misses the equivalent committer
fields. Since git committer identity is independently controllable by
attackers, these variables are equally dangerous in shell script
injection contexts.

Adds detection for:
- github.event.head_commit.committer.name
- github.event.head_commit.committer.email
- github.event.commits[*].committer.name
- github.event.commits[*].committer.email

Fixes ossf#3915

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@alexchenai alexchenai requested a review from a team as a code owner March 19, 2026 11:41
@alexchenai alexchenai requested review from justaugustus and raghavkaul and removed request for a team March 19, 2026 11:41
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Mar 19, 2026
@justaugustus justaugustus mentioned this pull request Mar 23, 2026
Closed
2 tasks
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files. Stale

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dangerous Workflow: some user input are not being detected as untrusted input.

1 participant

@alexchenai