[sergo] Sergo Report: yaml-injection-custom-jobs-plus-qmd-runson-audit - 2026-03-27

[github-actions[bot]]

Overview

Today's analysis extended the sustained YAML injection audit series (runs 30–32) into previously unexplored compilation paths: the generic custom-job rendering layer (jobs.go) and QmdConfig indexing job generation (qmd.go). The cached component deepened the injection surface survey to show that custom job runs-on, env, outputs, and with fields are all rendered without YAML-safe escaping. The new component revealed the same unescaped string concatenation pattern in the QMD tooling path. All three findings are actionable injection vectors that a workflow author could trigger with a YAML double-quoted string containing a \n escape sequence.

Tools Snapshot

• Total Tools Available: 23 (unchanged from 2026-03-26)
• New Tools Since Last Run: None
• Removed Tools: None
• Tool Capabilities Used Today: find_symbol, search_for_pattern, grep, direct file reads, bash for targeted line inspection

Strategy Selection

Cached Reuse Component (50%)

Previous Strategy Adapted: double-quote-injection-deepdive-plus-yaml-string-value-audit (run 31, score 8) and yaml-injection-skip-roles-plus-unicode-truncation-audit (run 32, score 8)

• Why Reused: The YAML injection family has consistently yielded HIGH-severity findings across runs 30–32. Each run finds a new injection site using the same root cause: user-controlled string values embedded via %s or string concatenation without YAML escaping.
• Modifications: Shifted focus from the compiler_yaml.go / compiler_pre_activation_job.go frontmatter env vars to the job rendering layer — the jobs.go:ToYAML() method and the custom job compilation path in compiler_jobs.go.

New Exploration Component (50%)

Novel Approach: QmdConfig injection audit — tracing the qmd.runs-on frontmatter field through tools_parser.go → WorkflowData.QmdConfig → qmd.go:buildQmdIndexingJob → jobs.go:ToYAML.

• Hypothesis: The QmdConfig path is a newer, less-scrutinized code path that likely reuses the same unescaped string-concatenation idiom found throughout the codebase.
• Target Areas: pkg/workflow/qmd.go, pkg/workflow/safe_jobs.go, pkg/workflow/compiler_jobs.go:555-580, pkg/workflow/jobs.go:245-370

Codebase Context

• Go files in pkg/: 622 (excluding test files)
• Packages Analyzed: pkg/workflow — jobs rendering, qmd, compiler_jobs, safe_jobs, jobs
• Focus Areas: Custom job YAML rendering path and QmdConfig indexing job builder

Findings Summary

Severity	Count
Critical	0
High	2
Medium	1
Low	0
Total	3

Detailed Findings

Finding 1 — Custom Job runs-on YAML Injection (HIGH)

Files: pkg/workflow/compiler_jobs.go:561, pkg/workflow/safe_jobs.go:193

Description: When compiling custom jobs (non-engine workflow jobs defined in the frontmatter jobs: block) and safe-output job configurations, the user-supplied runs-on string is concatenated directly into a YAML line with no escaping:

// compiler_jobs.go:561
job.RunsOn = "runs-on: " + runsOnStr

// safe_jobs.go:193
job.RunsOn = "runs-on: " + runsOnStr

This string is later written to the compiled GitHub Actions YAML verbatim via jobs.go:246:

fmt.Fprintf(&yaml, "    %s\n", job.RunsOn)

Exploit path: A workflow author writes:

jobs:
  my-job:
    runs-on: "ubuntu-latest\nstrategy:\n  max-parallel: 100"

Go's gopkg.in/yaml.v3 parses the double-quoted YAML value into a Go string containing literal newlines. The compiled output becomes:

    runs-on: ubuntu-latest
strategy:
  max-parallel: 100

…injecting a strategy: block at the job level.

Impact: Allows injecting arbitrary GitHub Actions YAML keys at the job level. Potential misuse: adding strategy.matrix, environment: (to bypass environment protection rules), or permissions: overrides.

Note: The array/object form of runs-on uses yaml.Marshal and is safe; only the string scalar form is affected.

---

Finding 2 — Custom Job env, outputs, and with YAML Injection (HIGH)

File: pkg/workflow/jobs.go:299,314,340

Description: The Job.ToYAML() method writes custom job env:, outputs:, and with: (reusable workflow inputs) values using raw %s format with no YAML escaping:

// env: block (line 299)
fmt.Fprintf(&yaml, "      %s: %s\n", key, job.Env[key])

// outputs: block (line 314)
fmt.Fprintf(&yaml, "      %s: %s\n", key, job.Outputs[key])

// with: block for reusable workflow calls (line 340)
fmt.Fprintf(&yaml, "      %s: %s\n", key, v)

These values are populated directly from user YAML frontmatter with no sanitization:

• job.Env: from compiler_jobs.go:674–678 (env: map under a custom job)
• job.Outputs: from compiler_jobs.go:750–757 (outputs: map under a custom job)
• job.With: from compiler_jobs.go:769–773 (with: map for reusable workflow calls)

Exploit path: A workflow YAML with:

jobs:
  my-job:
    env:
      MY_VAR: "value\nANOTHER_KEY: injected"

Produces compiled YAML output:

    env:
      MY_VAR: value
ANOTHER_KEY: injected

ANOTHER_KEY escapes the env: indentation and becomes a top-level job key (invalid YAML structure or injects a recognized key like timeout-minutes:).

Note: job.Secrets values (line 363) are protected by validateSecretsExpression() which enforces the $\{\{ secrets.NAME }} pattern and prevents newline injection.

Contrast: Engine env values use yamlStringValue() (engine_helpers.go:224, also unfixed per run 31) which at least attempts quoting for {/[-prefixed values — the custom-job path has zero quoting logic.

---

Finding 3 — QmdConfig runs-on YAML Injection (MEDIUM)

File: pkg/workflow/qmd.go:628–629

Description: The QMD (Query My Docs) tool integration builds a separate qmd-indexing job. The job's runs-on value comes from the user's qmd.runs-on: frontmatter field:

indexingRunsOn := "runs-on: " + constants.DefaultQmdIndexingRunnerImage
if data.QmdConfig.RunsOn != "" {
    indexingRunsOn = "runs-on: " + data.QmdConfig.RunsOn  // line 629 — no escaping
}

This string is assigned to job.RunsOn and written verbatim at jobs.go:246. Same injection mechanism as Finding 1.

Exploit path: A workflow author writes:

tools:
  qmd:
    runs-on: "aw-gpu-runner-T4\npermissions:\n  contents: write"

Injects a permissions: contents: write block into the QMD indexing job, overriding its read-only permissions.

Lower severity than Finding 1 because qmd.runs-on is less commonly configured and QMD is an advanced feature, but the structural vulnerability is identical.

Improvement Tasks Generated

Task 1: Sanitize Custom Job runs-on String Concatenation

Issue Type: YAML Injection

Problem: compiler_jobs.go:561 and safe_jobs.go:193 concatenate user-supplied runs-on strings directly without YAML-safe escaping.

Locations:

• pkg/workflow/compiler_jobs.go:561
• pkg/workflow/safe_jobs.go:193
• pkg/workflow/qmd.go:629 (same pattern, see Task 3)

Impact:

• Severity: High
• Affected Files: 2–3
• Risk: Attacker injects arbitrary GitHub Actions job-level keys (strategy, environment, permissions) into compiled workflow YAML

Recommendation: Replace string concatenation with YAML marshaling for the string scalar case:

// Before (compiler_jobs.go:561)
job.RunsOn = "runs-on: " + runsOnStr

// After
yamlBytes, err := yaml.Marshal(map[string]any{"runs-on": runsOnStr})
if err != nil {
    return fmt.Errorf("failed to encode runs-on for job '%s': %w", jobName, err)
}
job.RunsOn = strings.TrimSuffix(string(yamlBytes), "\n")

This matches the existing array/object case which already uses yaml.Marshal.

Validation:

• Verify compiled YAML contains properly escaped runs-on value
• Test with \n-containing value to confirm injection is prevented
• Check safe_jobs.go:193 uses same fix

Estimated Effort: Small

---

Task 2: Quote Custom Job env, outputs, and with Values in jobs.go

Issue Type: YAML Injection

Problem: jobs.go:299,314,340 write user-controlled string values with %s (no quoting) into YAML env:, outputs:, and with: blocks. A value containing a literal newline escapes the indented block and injects top-level job YAML keys.

Locations:

• pkg/workflow/jobs.go:299 (env: values)
• pkg/workflow/jobs.go:314 (outputs: values)
• pkg/workflow/jobs.go:340 (with: string values for reusable workflow calls)

Impact:

• Severity: High
• Affected Files: 1 (jobs.go), but impacts all custom-job compilation paths
• Risk: Inject timeout-minutes, environment, permissions, or other keys outside the env: block

Recommendation: Use %q for values that do not start with a GitHub Actions expression ($\{\{), mirroring engine_helpers.go:yamlStringValue() or templatables.go:buildTemplatableBoolEnvVar():

// Before (line 299)
fmt.Fprintf(&yaml, "      %s: %s\n", key, job.Env[key])

// After
value := job.Env[key]
if strings.HasPrefix(value, "$\{\{") {
    fmt.Fprintf(&yaml, "      %s: %s\n", key, value)  // GHA expression — unquoted
} else {
    fmt.Fprintf(&yaml, "      %s: %q\n", key, value)  // literal — Go-quoted
}

Apply the same pattern to outputs: (line 314) and with: string case (line 340).

Validation:

• Test env value "foo\nbar: injected" produces escaped YAML output
• Confirm GHA expressions like $\{\{ github.event.issue.number }} remain unquoted
• Run existing compiler tests to verify no regressions

Estimated Effort: Small

---

Task 3: Sanitize QmdConfig runs-on in qmd.go

Issue Type: YAML Injection

Problem: qmd.go:629 uses the same "runs-on: " + data.QmdConfig.RunsOn pattern. A user-supplied qmd.runs-on: with an embedded newline injects YAML into the QMD indexing job.

Location: pkg/workflow/qmd.go:628–629

Impact:

• Severity: Medium
• Affected Files: 1
• Risk: Override QMD indexing job permissions, environment protection rules, or other job-level settings

Recommendation: Replace with YAML-marshaled form to be consistent with Task 1:

// Before (qmd.go:629)
indexingRunsOn = "runs-on: " + data.QmdConfig.RunsOn

// After
yamlBytes, err := yaml.Marshal(map[string]any{"runs-on": data.QmdConfig.RunsOn})
if err != nil {
    qmdLog.Printf("Failed to encode qmd runs-on value, using default: %v", err)
    indexingRunsOn = "runs-on: " + constants.DefaultQmdIndexingRunnerImage
} else {
    indexingRunsOn = strings.TrimSuffix(string(yamlBytes), "\n")
}

Note: This is the same fix as Task 1, applied to a different caller. Consider extracting a shared marshalRunsOn(value string) string helper.

Validation:

• Test with multi-line qmd.runs-on value
• Verify QMD indexing workflow compiles correctly with standard runner names
• Consider marshalRunsOn helper to DRY across Tasks 1, 2, 3

Estimated Effort: Small

Success Metrics

This Run

• Findings Generated: 3 (2 HIGH, 1 MEDIUM)
• Tasks Created: 3
• Files Analyzed: ~8 (jobs.go, compiler_jobs.go, safe_jobs.go, qmd.go, compiler_yaml_helpers.go, safe_outputs_config.go, templatables.go, secrets_validation.go)
• Success Score: 8/10

Reasoning

• Findings Quality: 3/4 — two HIGH-severity actionable injection vectors, one MEDIUM. Real impact via compiled YAML corruption.
• Coverage: 2/3 — focused audit of job-rendering layer, not broad sweep
• Task Generation: 3/3 — all three tasks are clearly scoped, small effort, directly fixable

Historical Context

Strategy Performance (Recent)

Run	Date	Strategy	Score
31	2026-03-25	double-quote-injection-deepdive	8
32	2026-03-26	yaml-injection-skip-roles	8
33	2026-03-27	yaml-injection-custom-jobs-plus-qmd	8

Cumulative Statistics

• Total Runs: 33
• Total Findings: 99
• Total Tasks Generated: 99
• Average Success Score: 7.94/10
• Most Successful Strategy: mcp-scripts-shell-injection-plus-yaml-analysis (score 9)

Recommendations

Immediate Actions

1. Fix custom job runs-on string concatenation (High) — compiler_jobs.go:561, safe_jobs.go:193 — use yaml.Marshal for string scalar case
2. Quote custom job env/outputs/with values (High) — jobs.go:299,314,340 — apply %q quoting for non-expression values
3. Fix QmdConfig runs-on concatenation (Medium) — qmd.go:629 — same marshal approach

Long-term Improvements

The sustained YAML injection audit series (runs 30–33) reveals a systemic pattern: the codebase has no central "YAML-safe value serializer" for the job/step compilation layer. The existing yamlStringValue() in engine_helpers.go is applied inconsistently (only in one place, with incomplete logic per run 31). A safeYAMLScalar(s string) string helper that handles expression pass-through, proper quoting for literals, and newline detection should be introduced and applied uniformly across all job and step rendering paths.

Next Run Preview

Suggested Focus Areas

• Audit job.If condition rendering (jobs.go:~580) — job.If is set from user YAML if: conditions in compiler_jobs.go:579; check if newline injection is possible here or in reusable workflow call if: fields
• Audit job.Uses for reusable workflow calls — jobs.go:321 writes job.Uses with %s; while GitHub action reference strings are constrained, YAML injection via the jobs: block deserves confirmation

Strategy Evolution

Consider a "fix validation" component for future runs — re-check whether findings from runs 30–33 have been remediated, since the unfixed list now has 40+ entries and tracking which are addressed is valuable signal.

---

References:

• §23665763953

AI generated by Sergo - Serena Go Expert · history

• expires on Mar 28, 2026, 8:30 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-28T20:30:05.503Z.

Closed by Workflow