The CodeQL model for step-security/harden-runner ([model file]) flags input.allowed-endpoints as flowing to a command injection sink.
However, examining the actual source code, the call is:
cp.execFileSync("echo", [content]);This is not a command injection vulnerability because:
- The first argument (the command) is a hardcoded string
"echo" — it is not user-controlled.
execFileSync does not pass arguments through a shell by default. It invokes the executable directly via execvp, so shell metacharacters in content (e.g., ; rm -rf /, $(cmd), `cmd`) are treated as literal strings and passed as-is to the echo program.- The user-controlled input (
content) only flows into the argument array (the second parameter), which cannot cause command injection without shell: true being set in the options.
Therefore, this is a false positive — the tainted data does not reach a position where it can alter which command is executed or be interpreted by a shell.
The CodeQL model for
step-security/harden-runner([model file]) flagsinput.allowed-endpointsas flowing to a command injection sink.However, examining the actual source code, the call is:
This is not a command injection vulnerability because:
"echo"— it is not user-controlled.execFileSyncdoes not pass arguments through a shell by default. It invokes the executable directly viaexecvp, so shell metacharacters incontent(e.g.,; rm -rf /,$(cmd),`cmd`) are treated as literal strings and passed as-is to theechoprogram.content) only flows into the argument array (the second parameter), which cannot cause command injection withoutshell: truebeing set in the options.Therefore, this is a false positive — the tainted data does not reach a position where it can alter which command is executed or be interpreted by a shell.