sec: randomize $GITHUB_ENV heredoc terminator in resolve-workflow-inputs.mjs

@zen-agentchecks n/achecks…zen/sec-heredoc-marker-3g7fag → main1 files · +9 −1updated 1mo ago

▸Description· 1 comment

Description

scripts/ci/resolve-workflow-inputs.mjs writes resolved env values to $GITHUB_ENV via a heredoc whose terminator was the static string __CODEX_EOF__. If a value contained that exact marker on its own line, the heredoc would close early and GitHub would parse following lines as arbitrary KEY=VALUE assignments, overwriting env vars (including GITHUB_TOKEN) in subsequent steps.

The script reads from:

workflow_dispatch.inputs.harness_env_json — JSON object whose values are emitted verbatim
workflow_call.inputs.harness_env_json — same
repository_dispatch.client_payload.harness_env_json — same

Today there is no untrusted source for these inputs:

workflow_dispatch requires repo write access
workflow_call is currently invoked from helm-charts with a hard-coded '{"RUN_TRIGGER_TESTS":"1"}'
repository_dispatch requires the ONPREM_TESTBED_WORKFLOW_DISPATCH_TOKEN PAT

So practical severity is LOW — but the static marker is a latent injection vector that future plumbing (e.g., a pull_request_target workflow that forwards a PR-supplied JSON) could expose. Fix it now while it's a one-line change.

The fix:

Generate a random EOF_<32 hex> terminator per emit() call via crypto.randomBytes(16)
If by astronomical chance the value contains the chosen delimiter, re-roll until it doesn't

Reference: GitHub Actions security hardening (set-output / save-state heredoc guidance).

How did I test this PR

pnpm typecheck — passes

Smoke test (normal payload):

GITHUB_EVENT_NAME=workflow_dispatch \
WORKFLOW_INPUTS_JSON='{"helm_chart_version":"1.2.3","harness_env_json":"{\"FOO\":\"bar\"}"}' \
node scripts/ci/resolve-workflow-inputs.mjs

Each variable now uses a unique EOF_<hex> delimiter, e.g.:

HELM_CHART_VERSION<<EOF_3230e050c8ddd9ae106e0923fed2f83a
1.2.3
EOF_3230e050c8ddd9ae106e0923fed2f83a

Adversarial payload (value contains old static marker plus a fake env line):

WORKFLOW_INPUTS_JSON='{"helm_chart_version":"1.2.3","harness_env_json":"{\"FOO\":\"bar\\n__CODEX_EOF__\\nGITHUB_TOKEN=evil\"}"}'

The injected lines now sit inside the heredoc body and do not close it:

FOO<<EOF_f5f0fd253ec9f22c596312ab6237b9d1
bar
__CODEX_EOF__
GITHUB_TOKEN=evil
EOF_f5f0fd253ec9f22c596312ab6237b9d1

GitHub will parse FOO as the multi-line literal and not set GITHUB_TOKEN.

Triggered by: dhawal@composio.dev | Source: cron Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-cron-6c44a804d0c7 Origin: cron-48e51eab745f / zen-cron-6c44a804d0c7

@zen-agent1mo ago

Post-PR status

Build checks (onprem-testbed not in /build-checks profile registry, ran repo-native commands):

pnpm typecheck ✅ pass (3.4s)
pnpm test — N/A in this sandbox: vitest globalSetup requires helm pull from the authenticated registry.composio.io, which the sandbox cannot reach (per /workspace/CLAUDE.md: "sandbox-side verifier runs only pnpm typecheck").

Codex review (codex exec review --base origin/main):

The change safely replaces the fixed GitHub environment heredoc delimiter with a random per-value delimiter and checks for collisions. I did not find any introduced correctness issues in the modified code paths.

LGTM on iteration 1, no fixes needed.

CI: This repo has only one workflow (replicated-cmx-harness.yml) which triggers on workflow_dispatch / workflow_call / repository_dispatch — none fire on pull_request. There is genuinely no CI configured to run for this PR. Confirmed via gh api .../actions/runs?head_sha=... (empty) and the workflow trigger list.

Testing:

Smoke test (normal payload): each emitted variable now uses a unique EOF_<32hex> delimiter.
Adversarial test: payload {"FOO":"bar\n__CODEX_EOF__\nGITHUB_TOKEN=evil"} is now contained inside the heredoc body and does not inject GITHUB_TOKEN. Both runs included in the PR description.

Comments addressed: none — no review comments, conversation comments, or review submissions exist on this PR yet.

PR state: MERGEABLE / CLEAN. Ready for human review.

loading diff…

@zen-agent1mo ago

Post-PR status

Build checks (onprem-testbed not in /build-checks profile registry, ran repo-native commands):

pnpm typecheck ✅ pass (3.4s)
pnpm test — N/A in this sandbox: vitest globalSetup requires helm pull from the authenticated registry.composio.io, which the sandbox cannot reach (per /workspace/CLAUDE.md: "sandbox-side verifier runs only pnpm typecheck").

Codex review (codex exec review --base origin/main):

The change safely replaces the fixed GitHub environment heredoc delimiter with a random per-value delimiter and checks for collisions. I did not find any introduced correctness issues in the modified code paths.

LGTM on iteration 1, no fixes needed.

Testing:

Smoke test (normal payload): each emitted variable now uses a unique EOF_<32hex> delimiter.
Adversarial test: payload {"FOO":"bar\n__CODEX_EOF__\nGITHUB_TOKEN=evil"} is now contained inside the heredoc body and does not inject GITHUB_TOKEN. Both runs included in the PR description.

Comments addressed: none — no review comments, conversation comments, or review submissions exist on this PR yet.

PR state: MERGEABLE / CLEAN. Ready for human review.