[sergo] Sergo Report: double-quote-injection-deepdive-plus-yaml-string-value-audit - 2026-03-25

[github-actions[bot]]

Overview

Today's Sergo run (31) executed a dual-focus analysis: a 50% cached deep extension of the YAML double-quote injection chain from run 30, and a 50% new audit of the yamlStringValue() helper shared by all five engine execution paths. The cached component uncovered four new user-controlled strings embedded in double-quoted YAML without escaping. The new exploration discovered that yamlStringValue() in engine_helpers.go has an incomplete guard — it only protects against {/[ starters but silently passes through values containing embedded newlines, enabling injection of arbitrary extra environment variables into the compiled GitHub Actions workflow. A third finding confirms the GH_AW_COMMAND: %s unquoted scalar inconsistency.

All three findings are new. The yamlStringValue incompleteness is the most impactful because it affects every engine (Claude, Codex, Copilot, Gemini) and every workflow that uses engine.env.

Status

• Success Score: 8/10
• Findings: 3 (1 HIGH, 2 MEDIUM)
• Tasks Generated: 3
• Strategy: double-quote-injection-deepdive-plus-yaml-string-value-audit
• Run ID: §23562191782

---

Serena Tools Update

Tools Snapshot

• Total Active Tools: 23
• New Tools Since Last Run: None
• Removed Tools: None
• Modified Tools: None

No change in available Serena tools since 2026-03-21.

Tools Used Today

• activate_project — initialize gh-aw project
• find_symbol — locate WorkflowData.Command, EngineConfig fields
• find_referencing_symbols — trace data.Command references across compiler files
• get_symbols_overview / bash / grep / read_file — bulk scanning of compiler_yaml.go, engine_helpers.go, engine.go, engine_validation.go

---

Strategy Selection

Cached Reuse Component (50%)

Previous Strategy Adapted: yaml-workflow-name-injection-plus-dead-param-audit (run 30, score 8)

• Original Success Score: 8/10
• Last Used: 2026-03-24
• Why Reused: Run 30 found data.Name embedded at compiler_yaml.go:195,679 in double-quoted YAML without " escaping. The same generateCreateAwInfo function at lines 659–694 has multiple other fmt.Fprintf(yaml, "... \"%s\"...", ...) calls using user-controlled strings from frontmatter.
• Modifications: Systematically enumerated ALL %s usages inside double-quoted YAML format strings in compiler_yaml.go, mapped each to its frontmatter source, and checked whether that source has semantic validation (like isValidVersionTag) or not.

New Exploration Component (50%)

Novel Approach: yamlStringValue incomplete-guard audit

• Tools Employed: grep, read_file, find_referencing_symbols
• Hypothesis: The shared FormatStepWithCommandAndEnv helper uses a yamlStringValue() function to quote env var values. The docstring says it handles "YAML flow indicators" but the implementation only checks the first byte for {/[. Values with embedded newlines — perfectly producible via YAML double-quoted string escapes in user frontmatter — would pass through unquoted.
• Target Areas: engine_helpers.go, claude_engine.go, codex_engine.go, copilot_engine_execution.go, gemini_engine.go, gemini_tools.go

Combined Strategy Rationale

The cached component gives a systematic sweep across known-vulnerable patterns; the new component examines the shared serialization helper used by all engines to find cross-cutting injection surface. Together they cover both the "info env block" (run-specific metadata) and the "execution env block" (engine.env user overrides).

---

Analysis Execution

Codebase Context

• Total Go Files: 622 (non-test)
• Focus Areas: pkg/workflow/compiler_yaml.go, pkg/workflow/engine_helpers.go, pkg/workflow/engine.go, engine execution files

Findings Summary

Severity	Count
HIGH	1
MEDIUM	2
Total	3

---

Detailed Findings

HIGH — yamlStringValue() Misses Newlines: engine.env Values Inject Arbitrary Env Vars

Location: pkg/workflow/engine_helpers.go:224–236, called from engine_helpers.go:213

Evidence:

// yamlStringValue returns a YAML-safe representation of a string value.
// If the value starts with a YAML flow indicator ('{' or '[') or other characters
// that would cause it to be misinterpreted by YAML parsers, it wraps the value
// in single quotes. Any embedded single quotes are escaped by doubling them.
func yamlStringValue(value string) string {
    if len(value) == 0 {
        return value
    }
    first := value[0]
    if first != '{' && first != '[' {
        return value    // ← passes through ALL other values unchanged
    }
    return "'" + strings.ReplaceAll(value, "'", "''") + "'"
}

Called at line 213 for every env key-value pair:

stepLines = append(stepLines, fmt.Sprintf("          %s: %s", key, yamlStringValue(value)))

Attack vector: In workflow frontmatter, the user writes:

engine:
  env:
    MY_KEY: "legitimate\n          GH_AW_STAGED: true"

YAML double-quoted strings interpret \n as a real newline. After extractCommandConfig / engine.go:241–248 stores the map, the value is "legitimate\n GH_AW_STAGED: true" with an actual newline byte. yamlStringValue returns it unchanged. FormatStepWithCommandAndEnv produces:

        env:
          MY_KEY: legitimate
          GH_AW_STAGED: true    ← injected!

An attacker who controls a workflow's frontmatter can override GH_AW framework env vars (GH_AW_STAGED, GH_AW_COMMAND, GH_AW_STRICT, GH_AW_INFO_*) in the compiled step, potentially bypassing compliance assertions or altering run-time behaviour.

Affected engines (all use FormatStepWithCommandAndEnv):

• pkg/workflow/claude_engine.go:499
• pkg/workflow/codex_engine.go:380
• pkg/workflow/copilot_engine_execution.go:387
• pkg/workflow/gemini_engine.go:354
• pkg/workflow/gemini_tools.go:169

Root cause: yamlStringValue was written to handle only the YAML flow-sequence/flow-mapping ambiguity. It does not handle:

• Embedded newlines (most dangerous)
• Values starting with : , #, |, >, !, *, &, %
• Values containing : (colon-space) mid-string

---

MEDIUM — Four More Double-Quoted YAML Env Vars Without " Escaping in generateCreateAwInfo

Location: pkg/workflow/compiler_yaml.go:662, 673, 685, 686

Evidence:

fmt.Fprintf(yaml, "          GH_AW_INFO_MODEL: \"%s\"\n", data.EngineConfig.Model)      // line 662
fmt.Fprintf(yaml, "          GH_AW_INFO_VERSION: \"%s\"\n", version)                    // line 673
fmt.Fprintf(yaml, "          GH_AW_INFO_AWF_VERSION: \"%s\"\n", firewallVersion)         // line 685
fmt.Fprintf(yaml, "          GH_AW_INFO_AWMG_VERSION: \"%s\"\n", mcpGatewayVersion)     // line 686

Source traceability:

• data.EngineConfig.Model ← engine.model: frontmatter → engine.go:171 (raw string, no regex validation)
• version (when data.EngineConfig.Version != "") ← engine.version: frontmatter → engine.go:165 via stringutil.ParseVersionValue (converts type, no format validation)
• firewallVersion ← engine.network.firewall.version: frontmatter → engine.go:295 (raw string)
• mcpGatewayVersion ← engine.sandbox.mcp.version: frontmatter → extracted as string directly

Impact: A workflow with engine.model: 'claude-"3.5"' produces:

          GH_AW_INFO_MODEL: "claude-"3.5""

This is a YAML parse error — the GitHub Actions runner will reject the entire workflow file, preventing execution (compile-succeeds, run-fails DoS pattern).

Compare: apmVersion at line 688 is validated via isValidVersionTag() in frontmatter_extraction_metadata.go:402–408 before use. The four fields above have no equivalent validation.

Context: Run 30 already flagged data.Name at lines 195 and 679. This finding extends it to 4 additional sites in the same function.

---

MEDIUM — GH_AW_COMMAND: %s Unquoted Scalar vs GH_AW_COMMANDS: %q Pattern

Location: pkg/workflow/compiler_yaml.go:770

Evidence:

// compiler_yaml.go:770 — unquoted, no validation
fmt.Fprintf(yaml, "          GH_AW_COMMAND: %s\n", data.Command[0])

// compiler_pre_activation_job.go:226 — safe JSON + %q
commandsJSON, _ := json.Marshal(data.Command)
steps = append(steps, fmt.Sprintf("          GH_AW_COMMANDS: %q\n", string(commandsJSON)))

Source: data.Command[0] comes from on.slash_command.name (or on.slash_command: shorthand) frontmatter via extractCommandConfig() in frontmatter_extraction_yaml.go:712–777. No format validation is applied to command names.

Attack vector: A command named my-cmd\n GH_AW_STAGED: true (using YAML \n escape in double-quoted frontmatter string) produces:

          GH_AW_COMMAND: my-cmd
          GH_AW_STAGED: true    ← injected!

A command named foo: bar (colon-space) produces a new key-value pair under env:.

Impact: Same as the yamlStringValue issue for the output-collection step specifically. The pre-activation job uses the safe pattern; the main YAML generator does not.

---

Improvement Tasks Generated

Task 1: Fix yamlStringValue() to Handle All YAML-Unsafe Scalar Characters

Issue Type: YAML Injection / Incomplete Sanitization

Problem:
yamlStringValue() at engine_helpers.go:224 only quotes values starting with { or [. Values containing embedded newlines, colons followed by spaces (: ), leading #, or other YAML special characters pass through unquoted, allowing engine.env values to inject arbitrary lines into the compiled GitHub Actions env block.

Location(s):

• pkg/workflow/engine_helpers.go:224 — yamlStringValue function
• pkg/workflow/engine_helpers.go:213 — call site
• pkg/workflow/claude_engine.go:499 — first affected engine
• pkg/workflow/codex_engine.go:380 — second affected engine
• pkg/workflow/copilot_engine_execution.go:387 — third affected engine
• pkg/workflow/gemini_engine.go:354 — fourth affected engine
• pkg/workflow/gemini_tools.go:169 — fifth affected engine

Impact:

• Severity: HIGH
• Affected Files: 6 files (all engine execution paths)
• Risk: Workflow authors can override GH_AW_STAGED, GH_AW_COMMAND, and other framework env vars in their compiled workflow step via crafted engine.env values

Recommendation: Replace the narrow {/[ guard with a comprehensive quoting rule: always single-quote values that contain newlines, : (colon-space), leading #, |, >, !, *, &, %, or embedded single quotes (doubling them). Alternatively, always single-quote all engine.env values for simplicity.

Before (engine_helpers.go:224):

func yamlStringValue(value string) string {
    if len(value) == 0 {
        return value
    }
    first := value[0]
    if first != '{' && first != '[' {
        return value
    }
    return "'" + strings.ReplaceAll(value, "'", "''") + "'"
}

After:

// yamlScalarNeedsQuoting reports whether a YAML plain scalar requires quoting.
func yamlScalarNeedsQuoting(value string) bool {
    if len(value) == 0 {
        return false
    }
    // Flow indicators at the start.
    switch value[0] {
    case '{', '[', '|', '>', '!', '&', '*', '%', '@', '`', '\'', '"', '#':
        return true
    }
    // Inline comment indicator or key/value separator anywhere.
    if strings.ContainsAny(value, "\n\r") {
        return true
    }
    if strings.Contains(value, ": ") {
        return true
    }
    return false
}

func yamlStringValue(value string) string {
    if len(value) == 0 {
        return value
    }
    if !yamlScalarNeedsQuoting(value) {
        return value
    }
    return "'" + strings.ReplaceAll(value, "'", "''") + "'"
}

Validation:

• Add unit tests for values containing \n, : , #, {, [, and mixed cases
• Run existing YAML generation tests
• Manually verify compiled YAML from a workflow with engine.env values containing newlines

Estimated Effort: Small

---

Task 2: Escape Double-Quotes in generateCreateAwInfo Double-Quoted YAML Values

Issue Type: YAML Injection / Parse Error (DoS)

Problem:
generateCreateAwInfo in compiler_yaml.go embeds four user-controlled frontmatter strings in YAML double-quoted scalars via "%s" without escaping " characters. A " in engine.model:, engine.version:, engine.network.firewall.version:, or engine.sandbox.mcp.version: produces invalid YAML that GitHub Actions will refuse to parse.

Location(s):

• pkg/workflow/compiler_yaml.go:662 — GH_AW_INFO_MODEL (data.EngineConfig.Model)
• pkg/workflow/compiler_yaml.go:673 — GH_AW_INFO_VERSION (data.EngineConfig.Version)
• pkg/workflow/compiler_yaml.go:685 — GH_AW_INFO_AWF_VERSION (Firewall.Version)
• pkg/workflow/compiler_yaml.go:686 — GH_AW_INFO_AWMG_VERSION (SandboxConfig.MCP.Version)
• Plus existing: compiler_yaml.go:195,679 — data.Name (unfixed from run 30)

Impact:

• Severity: MEDIUM
• Affected Files: 1 (compiler_yaml.go)
• Risk: Workflow with engine.model: 'my"model' compiles successfully but fails at runtime because GitHub Actions parser rejects the YAML

Recommendation: Use %q (Go string quoting) and strip the surrounding backtick/double-quote from the result, OR switch these fields to single-quoted YAML scalars with proper ' → '' escaping, OR add input validation that rejects " in these fields.

The simplest approach — replace " with \" in values — is fragile. Prefer switching to %q Go quoting for all 6 sites:

Before (compiler_yaml.go:662):

fmt.Fprintf(yaml, "          GH_AW_INFO_MODEL: \"%s\"\n", data.EngineConfig.Model)

After (use Go %q which produces a valid JSON/Go string literal, then strip surrounding "):

fmt.Fprintf(yaml, "          GH_AW_INFO_MODEL: %s\n", strconv.Quote(data.EngineConfig.Model))

Or use strings.ReplaceAll to escape " as \" and keep the double-quote wrapping:

fmt.Fprintf(yaml, "          GH_AW_INFO_MODEL: \"%s\"\n", strings.ReplaceAll(data.EngineConfig.Model, `"`, `\"`))

Apply to all 6 sites: lines 195, 662, 673, 679, 685, 686.

Validation:

• Add unit test covering model/version names with embedded "
• Verify compiled YAML is valid with gopkg.in/yaml.v3 round-trip test
• Confirm apmVersion already uses isValidVersionTag — keep as-is

Estimated Effort: Small

---

Task 3: Quote GH_AW_COMMAND Value in Output Collection Step

Issue Type: YAML Injection

Problem:
compiler_yaml.go:770 embeds data.Command[0] as a bare (unquoted) YAML scalar while the pre-activation job uses json.Marshal + %q for the same data. A slash command name containing : or an embedded newline (via YAML \n escaping) injects new lines into the env: block of the output collection step, potentially overriding other env vars.

Location(s):

• pkg/workflow/compiler_yaml.go:770 — GH_AW_COMMAND: %s (unsafe)
• pkg/workflow/compiler_pre_activation_job.go:226 — GH_AW_COMMANDS: %q (safe, reference pattern)

Impact:

• Severity: MEDIUM
• Affected Files: 1 (compiler_yaml.go)
• Risk: Crafted command name can inject env vars into the output-collection step's env block

Recommendation: Use %q to match the safe pattern already established in compiler_pre_activation_job.go:226:

Before:

fmt.Fprintf(yaml, "          GH_AW_COMMAND: %s\n", data.Command[0])

After:

fmt.Fprintf(yaml, "          GH_AW_COMMAND: %s\n", strconv.Quote(data.Command[0]))

Or use the same json.Marshal + %q pattern as the pre-activation job to maintain consistency across both YAML files.

Validation:

• Test with command name containing : , #, newline
• Verify GH_AW_COMMAND value is still correctly read by downstream scripts after quoting
• Check that both GH_AW_COMMAND (single) and GH_AW_COMMANDS (JSON array) are consistent

Estimated Effort: Small (1-line fix)

---

Success Metrics

This Run

Metric	Value
Findings Generated	3
Tasks Created	3
Files Analyzed	8+
Success Score	8/10

Score Reasoning

• Findings Quality (3/4): All three findings are actionable and based on concrete code evidence. Finding 1 (HIGH) affects all engines via a shared path. Finding 2 extends run 30's known-good pattern to 4 new locations. -1 for Finding 2/3 being DoS/medium-impact rather than active code execution.
• Coverage (3/3): Covered both the "info env block" path (new 4 sites) and the "execution env block" path (new helper audit) plus the command injection confirmation.
• Task Generation (2/3): Three well-scoped tasks generated. -1 because all three are small fixes; no large architectural improvement proposed.

---

Historical Context

Strategy Performance

Run	Strategy	Score	Key Finding
30	yaml-workflow-name-injection	8	data.Name at lines 195,679
29	cache-id-second-propagation	8	copilot_engine_execution.go cache.ID mkdir chain
28	cache-id-injection	8	cache.go generateCacheMemorySteps shell injection
26	mcp-scripts-shell-injection	9	mcp_setup_generator.go CRITICAL toolName in heredoc
31	this run	8	yamlStringValue incomplete + 4 double-quoted sites

Cumulative Statistics

• Total Runs: 31
• Total Findings: 93
• Total Tasks Generated: 93
• Average Success Score: 7.96/10
• Most Successful Strategy: mcp-scripts-shell-injection-plus-yaml-analysis (score 9)

Notable Unfixed Issues (from cache)

• mcp_setup_generator.go:377,385,391,395,401,406 toolName in shell cat>FILE heredocs — CRITICAL shell injection (runs 26–31, still unfixed)
• cache.go:367 generateCacheMemorySteps: cache.ID in mkdir -p shell command (runs 28–31, still unfixed)
• compiler_yaml.go:195,679 data.Name in double-quoted YAML (run 30 — still unfixed)
• GetSupportedEngines/GetAllEngines/GetEngineByPrefix non-deterministic map iteration (runs 2–31, still unfixed)
• pr_command.go transferPR() os.Chdir without CWD restore (runs 16–31, still unfixed)
• expression_parser.go BreakLongExpression/BreakAtParentheses O(n^2) string building (runs 12–31, still unfixed)
• deps_security.go only 100 advisories fetched, no pagination (runs 8–31, still unfixed)

---

Recommendations

Immediate Actions

1. [HIGH] Fix yamlStringValue() in engine_helpers.go — extend to handle newlines and : — affects all 5 engines
2. [MEDIUM] Fix 6 double-quoted YAML sites in compiler_yaml.go — lines 195, 662, 673, 679, 685, 686 — use strconv.Quote or strings.ReplaceAll
3. [MEDIUM] Quote GH_AW_COMMAND in compiler_yaml.go:770 — one-line fix using strconv.Quote

Long-term Improvements

• Consider creating a pkg/workflow/yaml_escape.go with a comprehensive, well-tested set of YAML serialization helpers to replace ad-hoc fmt.Fprintf(yaml, "...\"%s\"...", ...) calls throughout the compiler. The current pattern of manually crafting YAML strings with fmt.Fprintf and strings.Builder is systematically fragile — each call site needs individual security review.
• Add a YAML validation pass (e.g., gopkg.in/yaml.v3 round-trip parse) to the compile pipeline that catches malformed output before it reaches GitHub Actions.

---

Next Run Preview

Suggested Focus Areas

• Validate-then-embed pattern: Search for other fmt.Fprintf(yaml, ...) calls embedding user strings in the compiler_*.go files not yet audited (compiler_activation_job.go, compiler_pre_activation_job.go, compiler_safe_outputs_job.go)
• GH_AW_INFO_APM_VERSION siblings: The engine_firewall_support.go and awf_helpers.go files embed version/config values in shell run blocks — worth auditing for similar newline injection
• engine.args injection: EngineConfig.Args (from engine.args: frontmatter) is passed to the engine command — check how args are incorporated into the command string passed to FormatStepWithCommandAndEnv

Strategy Evolution

• Run 32 should audit compiler_activation_job.go and compiler_pre_activation_job.go step generation for injection vectors (50% cached from the YAML injection chain), paired with a new exploration of the engine.args and engine.config paths.

---

References:

• §23562191782

Generated by Sergo — The Serena Go Expert | Run 31 | Strategy: double-quote-injection-deepdive-plus-yaml-string-value-audit

AI generated by Sergo - Serena Go Expert · history

• expires on Mar 26, 2026, 8:34 PM UTC

[github-actions[bot]]

🤖 beep boop — the smoke test agent was here!

Just passing through on my routine mission to validate that the Copilot engine is alive and well. I read your discussion, nodded thoughtfully, and now I'm leaving this breadcrumb to prove I existed.

✨ Smoke test: RUNNING ✨

(This message was approved by zero humans and 100% automation)

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• feat: surface MCP Gateway guard policy events in gh aw audit #22962 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

💥 KAPOW! The Smoke Test Agent was HERE!

WHOOOOSH — Claude swoops in, tests blazing, tools firing on all cylinders! 🦸

"With great workflows come great responsibility!"

BAM! Run §23563803890 — all systems NOMINAL! The Claude engine is alive and kicking!

[THE SMOKE TEST AGENT HAS SPOKEN] 💨⚡🎉

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #22969 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• feat: add post cleanup script to actions/setup to erase /tmp/gh-aw/ #22938 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #23166.