[static-analysis] RGS-006: Curl-Pipe-Bash Remote Code Execution in copilot-token-audit.lock.yml

[github-actions]

RGS-006: Curl-Pipe-Bash Remote Code Execution

Severity: Critical
Rule: RGS-006 — Untrusted input flows into a curl | bash (or equivalent) pattern, enabling remote code execution
Detected: 2026-04-29 | Run 25130700074
Findings: 1 in copilot-token-audit.lock.yml

---

Affected Workflow

copilot-token-audit.lock.yml — 1 finding

Taint flow pattern:

• Source: Untrusted event payload or workflow input (e.g., github.event.inputs.*, github.event.pull_request.*, etc.)
• Sink: Shell command that downloads and executes a script (e.g., curl <url> | bash, wget -O- <url> | sh, eval $(curl ...))
• Risk: An attacker who can control the source URL or inject into the command can execute arbitrary code within the runner

Example of vulnerable pattern:

- run: |
    curl -fsSL "${{ github.event.inputs.script_url }}" | bash

---

Attack Scenario

1. Attacker triggers the workflow (via workflow_dispatch, PR, or comment) with a malicious input
2. Attacker controls or poisons the URL used in the curl command
3. Runner downloads and executes attacker-controlled script
4. Attacker gains arbitrary code execution within the GitHub Actions runner
5. Runner has access to all workflow secrets, repository contents, and any tokens granted to the job

This is particularly dangerous in copilot-token-audit.lock.yml because the workflow likely handles GitHub tokens/credentials as part of its function.

---

Remediation

Option 1 — Pin to a specific verified commit SHA (preferred):

- run: |
    # Download and verify before executing
    curl -fsSL (internal.example.com/redacted) -o /tmp/script.sh
    # Verify checksum
    echo "expected-sha256  /tmp/script.sh" | sha256sum -c
    bash /tmp/script.sh

Option 2 — Vendor the script into the repository:

- run: bash scripts/audit-tokens.sh

Option 3 — Use a pinned GitHub Action instead:

- uses: owner/action@<full-commit-sha>

General guidance:

• Never pass github.event.* or github.event.inputs.* values directly into curl commands
• If a remote URL must be used, validate it against a strict allowlist before downloading
• Always separate download from execution — inspect the script before running
• Use GITHUB_ENV output capture carefully if passing results from such scripts

---

Remediation Checklist

• Locate the specific curl | bash pattern in copilot-token-audit.lock.yml
• Identify the source of the URL used in the curl command
• Replace with a vendored script or verified pinned URL
• If user input is required, validate against an explicit allowlist
• Review all other steps in the workflow for similar patterns

---

Note on Co-Located RGS-008

copilot-token-audit.lock.yml also has an RGS-008 finding (secret directly interpolated in run: block), tracked in #29159. Both vulnerabilities should be remediated together.

---

References

• Related: [static-analysis] RGS-008: Secret Directly Interpolated in run Block in ci.yml #29159 (RGS-008 — secret interpolation in same workflow)
• Related: [static-analysis] RGS-018: Suspicious Payload Execution Pattern in ci-coach.lock.yml #29160 (RGS-018 — suspicious payload execution)
• OWASP: Command Injection
• Runner-Guard documentation: RGS-006

Generated by Static Analysis Report · ● 452.4K · ◷

• expires on May 6, 2026, 8:08 PM UTC