Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: Branch creation treated as a checkout #20

Open
johnbillion opened this issue Dec 10, 2024 · 2 comments
Open

False positive: Branch creation treated as a checkout #20

johnbillion opened this issue Dec 10, 2024 · 2 comments

Comments

@johnbillion
Copy link
Contributor

I'm getting an error for a shell command in a run step that creates a new branch during a deployment process:

git checkout -b "release-${VERSION}"

The error is:

Use of "git checkout" in a bash script with a potentially dangerous reference.

What are your thoughts? Is there cause for concern when creating a branch with a potentially user-controlled name?
@johnbillion
Copy link
Contributor Author

This could potentially be dangerous because it creates a branch from another user-controlled ref:

git checkout -b "release-${VERSION}" "${ANOTHER_REF}"

@hugo-syn
Copy link
Collaborator

I think it's a false positive here, the tool search for something that is not a character like $, I don't think it's exploitable in your case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnbillion @hugo-syn