fix(security): prevent prompt injection via GitHub event data in AI agent workflows#6228
Open
XananasX7 wants to merge 1 commit into
Open
Conversation
…gent workflows Removes ISSUE_BODY and ISSUE_TITLE from workflow env vars that are passed directly to ADK agent prompts. These values are attacker-controlled (any GitHub user can set them by opening an issue or discussion) and were being interpolated directly into LLM prompts with write-capable tools available. Also removes the heredoc injection vector in discussion_answering.yml that wrote raw `github.event.discussion` JSON (including attacker-controlled body) to a temp file and passed it to the agent. The agent now receives only the discussion number and fetches content via the GitHub API itself. Affected workflows: - triage.yml: removes ISSUE_TITLE, ISSUE_BODY from env - discussion_answering.yml: replaces heredoc injection with safe --discussion_number arg The agent can fetch issue/discussion content securely via the GitHub API using its existing tooling (GITHUB_TOKEN with issues:read scope).
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes an indirect prompt injection vulnerability in the ADK Python CI workflows where attacker-controlled GitHub issue/discussion content was being passed directly into ADK agent prompts.
Vulnerability Details
Affected workflows:
triage.yml— passesISSUE_BODYandISSUE_TITLEenv vars directly into agent promptdiscussion_answering.yml— writes rawgithub.event.discussionJSON (including attacker body) via heredoc into a temp file, then passes to agentImpact: Any public GitHub user can craft an issue title/body or discussion body with prompt injection payloads. The ADK agent runs with
GOOGLE_API_KEY,ADK_TRIAGE_AGENT(GitHub PAT with write access), and GCP service account credentials in scope.A malicious payload can instruct the agent to use its write tools (post comments, add labels, close issues) with attacker-controlled content, or attempt to exfiltrate credentials via tool calls.
Fix
triage.yml: RemovedISSUE_TITLEandISSUE_BODYfrom workflow env vars. The agent already hasISSUE_NUMBERandGITHUB_TOKEN— it can securely fetch issue content via the GitHub API.discussion_answering.yml: Replaced the heredoc that injected raw event JSON with a safe--discussion_numberargument. The agent fetches discussion content via the GitHub API instead of receiving it pre-injected into its prompt.References