In Github Actions, because their runners use echo commands to print out environment variables and variables that have been declared via inputs, which in return is parsed in the UI.
So technically, all environment variables are unsanitized and this was only the first problem in a list of bugs. This bug specifically used the "pull_request" event/action because it is automatically executed without any chance of stopping it, and was using details exposed via the pull requests head.ref.
Next up: git usernames and emails that use shellcode injection names, because github probably won't introduce sanitization to all variables/inputs now.
This is a prime example why you should never ever use a shell to log arbitrary data.
Do you have the same reasoning for SQL/XXS injection? Should developers not write code that is resistant to SQL/XXS injection and instead rely on something like a WAF?
These protections (WAF for SQL/XSS, branch names for this) will never be enough. The code/logic must be secure, any additional layer is not enough since the actual target must be secured.
Developers will do it if its necessary, and it is. These situations are just proving it is necessary.
Why not both? Git itself checks and sanitizes branch names, and GitHub should arguably match that behavior. I don't think anyone would object to safer workflows and related tooling instead of being told "here, have some bash inside YAML, now be careful!"
Of course I agree that github should follow the git spec for branch names. I meant that I don't think github should impose any additional restrictions on branch names.
