Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Harden-Runner 操作系统命令注入漏洞

Harden-Runner是StepSecurity开源的一个程序。为 GitHub 托管和自托管的跑步者提供网络出口过滤和运行时安全。 Harden-Runner v2.10.2之前版本存在操作系统命令注入漏洞，该漏洞源于包含多个通过环境变量进行的命令注入漏洞。

N/A

N/A