Name of the Vulnerable Software and Affected Versions pytorch/pytorch (affected versions not specified)

Description The filter-test-configs workflow in pytorch/pytorch is vulnerable to an expression injection in Actions. This allows an attacker to potentially leak secrets and alter the repository using the workflow. The vulnerability occurs when the raw github.event.workflow run.head branch value is used inside the filter step. An attacker could use a malicious branch name to gain command execution in the step and potentially leak secrets. This issue may lead to stealing workflow secrets.

Recommendations To resolve the issue, use an intermediate environment variable for potentially attacker-controlled values such as github.event.workflow run.head branch. Update the workflow to use the intermediate environment variable, for example:

- name: Select all requested test configurations
 shell: bash
 env:
  GITHUB TOKEN: ${{ inputs.github-token }}
  JOB NAME: ${{ steps.get-job-name.outputs.job-name }}
  HEAD BRANCH: ${{ github.event.workflow run.head branch }}
 id: filter
 run: |
  ...
  python3 "${GITHUB ACTION PATH}/../../scripts/filter test configs.py" 
   ...
   --branch "$HEAD BRANCH"