Fix command injection in required-field-check workflow (#3642)

varadarajan-tw · claude · web-flow · commit 38e4ee2070f3 · 2026-04-08T13:49:16.000+05:30
* Fix command injection in required-field-check workflow (CWE-78)

Remediate OS command injection vulnerability where PR filenames containing
shell metacharacters (e.g., $()) could execute arbitrary commands on the
Actions runner. Untrusted filenames from the GitHub API were interpolated
unquoted into bash via ${{ }} expressions.

Fix: output files as JSON array, pass through env variable (not inline
interpolation), parse safely with jq, and build args with proper quoting.

Ref: HackerOne #3526875

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Skip required-field warnings for new destinations and new actions

New destinations have no existing customers and new actions have no
existing configurations, so adding required fields to them is safe.
Only warn when required fields are added to actions/settings that
already exist on main.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* noop

* Use printf instead of echo for safer JSON piping to jq

* Address Copilot review: pipefail, jq -e, and paginate PR files

- set -euo pipefail on both bash steps so pipeline failures from
  ./bin/run are not masked by jq's exit code
- jq -ce to fail on empty/null output
- github.paginate() with per_page:100 to fetch all changed files
  (github.request only returned the first page, default 30 files)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/required-field-check.yml b/.github/workflows/required-field-check.yml
@@ -33,30 +33,38 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
-            const response = await github.request('GET /repos/{owner}/{repo}/pulls/{pull_number}/files', {
+            const files = await github.paginate('GET /repos/{owner}/{repo}/pulls/{pull_number}/files', {
               owner: context.repo.owner,
               repo: context.repo.repo,
-              pull_number: context.issue.number
-            })
-            const files = response.data.map(file => file.filename)
-            core.setOutput('files', files.join(' '))
+              pull_number: context.issue.number,
+              per_page: 100
+            }, response => response.data.map(file => file.filename))
+            core.setOutput('files', JSON.stringify(files))
             if (files.length === 0) {
               core.setOutput('no_files_changed', true)
             }
 
       - name: Find required fields on current branch
         id: required-fields-curr-branch
         if: steps.get_files.outputs.no_files_changed != 'true'
+        env:
+          CHANGED_FILES: ${{ steps.get_files.outputs.files }}
         run: |
-          set -e
-          REQUIRED_FIELDS_CURR_BRANCH=$(./bin/run list-required-fields -p ${{ steps.get_files.outputs.files }} | jq -c .)
+          set -euo pipefail
+          ARGS=()
+          while IFS= read -r file; do
+            ARGS+=(-p "$file")
+          done < <(printf '%s' "$CHANGED_FILES" | jq -r '.[]')
+          REQUIRED_FIELDS_CURR_BRANCH=$(./bin/run list-required-fields "${ARGS[@]}" | jq -ce .)
           echo "REQUIRED_FIELDS_CURR_BRANCH=$REQUIRED_FIELDS_CURR_BRANCH" >> $GITHUB_ENV
 
       - name: Check for required fields on main branch
         id: required-fields-main-branch
         if: steps.get_files.outputs.no_files_changed != 'true'
+        env:
+          CHANGED_FILES: ${{ steps.get_files.outputs.files }}
         run: |
-          set -e
+          set -euo pipefail
           git checkout main
           # Run install again on main branch to ensure all dependencies are installed
           # and the lockfile is up to date
@@ -65,7 +73,11 @@ jobs:
           # checked against the correct version of the dependencies
           yarn install --frozen-lockfile --silent
           # Run the list-required-fields command on the main branch to get the required fields
-          REQUIRED_FIELDS_MAIN_BRANCH=$(./bin/run list-required-fields -p ${{ steps.get_files.outputs.files }} | jq -c .)
+          ARGS=()
+          while IFS= read -r file; do
+            ARGS+=(-p "$file")
+          done < <(printf '%s' "$CHANGED_FILES" | jq -r '.[]')
+          REQUIRED_FIELDS_MAIN_BRANCH=$(./bin/run list-required-fields "${ARGS[@]}" | jq -ce .)
           echo "REQUIRED_FIELDS_MAIN_BRANCH=$REQUIRED_FIELDS_MAIN_BRANCH" >> $GITHUB_ENV
 
       - name: Add comment on PR if there is diff in required fields
@@ -82,34 +94,29 @@ jobs:
               const requiredFieldsOnMain = JSON.parse(process.env.REQUIRED_FIELDS_MAIN_BRANCH)
 
               Object.keys(requiredFieldsOnBranch).forEach(key => {
-                // Check if key is present in requiredFieldsOnMain
-                if(requiredFieldsOnMain[key]) {
-                  const getActionKeys = Object.keys(requiredFieldsOnBranch[key])
-                  for(const actionKey of getActionKeys) {
-                    const branchRequiredFields = requiredFieldsOnBranch[key][actionKey]
-                    const mainRequiredFields = requiredFieldsOnMain[key][actionKey]
-                    const diff = branchRequiredFields.filter(field => !mainRequiredFields?.includes(field))
-                    if(diff.length > 0) {
-                      const isSettingsKey = actionKey === 'settings'
-                      if (isSettingsKey) {
-                        fieldsAdded.push(`- **Destination**: ${key}, **Settings**:${diff.join(',')}`)
-                      } else {
-                        fieldsAdded.push(`- **Destination**: ${key}, Action **Field(s)**:${diff.join(',')}`)
-                      }
-                    }
+                // Skip new destinations — no existing customers to break
+                if(!requiredFieldsOnMain[key]) {
+                  return
+                }
+
+                const getActionKeys = Object.keys(requiredFieldsOnBranch[key])
+                for(const actionKey of getActionKeys) {
+                  // Skip new actions — no existing configurations to break
+                  if(!requiredFieldsOnMain[key][actionKey]) {
+                    continue
                   }
-                } else {
-
-                  // If key is not present in requiredFieldsOnMain, then all fields are added recently
-                  const getActionKeys = Object.keys(requiredFieldsOnBranch[key])
-                  for(const actionKey of getActionKeys) {
-                    const branchRequiredFields = requiredFieldsOnBranch[key][actionKey]
-                    if(actionKey === 'settings') {
-                      fieldsAdded.push(`- **Destination**: ${key}, **Settings**:${branchRequiredFields.join(',')}`)
+
+                  const branchRequiredFields = requiredFieldsOnBranch[key][actionKey]
+                  const mainRequiredFields = requiredFieldsOnMain[key][actionKey]
+                  const diff = branchRequiredFields.filter(field => !mainRequiredFields.includes(field))
+                  if(diff.length > 0) {
+                    const isSettingsKey = actionKey === 'settings'
+                    if (isSettingsKey) {
+                      fieldsAdded.push(`- **Destination**: ${key}, **Settings**:${diff.join(',')}`)
                     } else {
-                      fieldsAdded.push(`- **Destination**: ${key}, **Action**:${actionKey}, **Fields**:${branchRequiredFields.join(',')}`)
+                      fieldsAdded.push(`- **Destination**: ${key}, Action **Field(s)**:${diff.join(',')}`)
                     }
-                }
+                  }
                 }
               })
             }
