You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it *may be executed lmfao.

edited: not "will", may depending on your GHA

▲

CGamesPlay 2 hours ago | parent | next [-]

Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.

▲

benoau an hour ago | parent | next [-]

https://github.com/orgs/community/discussions/27065

https://stackoverflow.com/questions/77090044/github-actions-...

https://www.praetorian.com/blog/pwn-request-hacking-microsof...

All you need is user content containing `backticked`, and a github action referencing that via eg "github.event.issue.title" where the shell would normally execute `backticked` as a command (like echo, cat, etc).

▲

theteapot 2 hours ago | parent | prev [-]

I think he means template-injection -- https://woodruffw.github.io/zizmor/audits/#template-injectio...

	▲	benoau 42 minutes ago \| parent [-]
		Yes that's it.

▲

vldszn 3 hours ago | parent | prev [-]

Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%

▲

insanitybit an hour ago | parent [-]

Yeah, zizmor checks for template injection.

	▲	vldszn 15 minutes ago \| parent [-]
		Nice