Skip to content

fix(security): prevent prompt injection via GitHub event data in AI agent workflows#6228

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-prompt-injection-workflow-inputs
Open

fix(security): prevent prompt injection via GitHub event data in AI agent workflows#6228
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-prompt-injection-workflow-inputs

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

This PR fixes an indirect prompt injection vulnerability in the ADK Python CI workflows where attacker-controlled GitHub issue/discussion content was being passed directly into ADK agent prompts.

Vulnerability Details

Affected workflows:

  • triage.yml — passes ISSUE_BODY and ISSUE_TITLE env vars directly into agent prompt
  • discussion_answering.yml — writes raw github.event.discussion JSON (including attacker body) via heredoc into a temp file, then passes to agent

Impact: Any public GitHub user can craft an issue title/body or discussion body with prompt injection payloads. The ADK agent runs with GOOGLE_API_KEY, ADK_TRIAGE_AGENT (GitHub PAT with write access), and GCP service account credentials in scope.

A malicious payload can instruct the agent to use its write tools (post comments, add labels, close issues) with attacker-controlled content, or attempt to exfiltrate credentials via tool calls.

Fix

  • triage.yml: Removed ISSUE_TITLE and ISSUE_BODY from workflow env vars. The agent already has ISSUE_NUMBER and GITHUB_TOKEN — it can securely fetch issue content via the GitHub API.

  • discussion_answering.yml: Replaced the heredoc that injected raw event JSON with a safe --discussion_number argument. The agent fetches discussion content via the GitHub API instead of receiving it pre-injected into its prompt.

References

…gent workflows

Removes ISSUE_BODY and ISSUE_TITLE from workflow env vars that are passed
directly to ADK agent prompts. These values are attacker-controlled (any
GitHub user can set them by opening an issue or discussion) and were being
interpolated directly into LLM prompts with write-capable tools available.

Also removes the heredoc injection vector in discussion_answering.yml that
wrote raw `github.event.discussion` JSON (including attacker-controlled body)
to a temp file and passed it to the agent. The agent now receives only the
discussion number and fetches content via the GitHub API itself.

Affected workflows:
- triage.yml: removes ISSUE_TITLE, ISSUE_BODY from env
- discussion_answering.yml: replaces heredoc injection with safe --discussion_number arg

The agent can fetch issue/discussion content securely via the GitHub API
using its existing tooling (GITHUB_TOKEN with issues:read scope).
@google-cla

google-cla Bot commented Jun 28, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant