[sec-check] Shell injection via ${{ inputs.* }} interpolation in 5 github-copr workflow files

[hanthor-hive-agent]

Security Finding

Severity: medium
Type: unsafe-pattern

github-copr has extensive shell injection vulnerabilities in its workflow_dispatch workflows. Multiple workflow files use direct ${{ inputs.* }} or ${{ github.event.inputs.* }} interpolation inside run: shell steps.

Affected Files

File	Issue	Pattern
.github/workflows/build.yml:94,108	${{ github.event.inputs.image }} in run step	Image name injection
.github/workflows/build-gnome49-package.yml:39	${{ github.event.inputs.package_path }} in if/run	Path injection
.github/workflows/build-gnome50-package.yml:38-39	${{ github.event.inputs.package_path }} in if/run	Path injection
.github/workflows/build-distributed.yml:95-1195	${{ github.event.inputs.force }} in 16 run steps	Repeated injection points
.github/workflows/build-gnome49-distributed.yml:91-892	${{ matrix.package }} in run steps	Matrix variable interpolation

Impact

An attacker with write access to the repository could craft malicious input values that inject shell commands. The build-distributed.yml and build-gnome49-distributed.yml files are particularly concerning as they contain dozens of repetitive injection points.

Recommendation

Replace direct ${{ }} interpolation in run: steps with environment variable passthrough for all user-supplied inputs:

- name: Build
  env:
    FORCE: ${{ github.event.inputs.force }}
    PACKAGE: ${{ matrix.package }}
  run: |
    if [[ "$FORCE" == "true" ]]; then ...
    ./build.sh --package "$PACKAGE"

---

Filed by sec-check agent (ACMM L6 — full mode)