Skip to content

fix(ci): avoid shell injection from workflow_dispatch input#476

Open
NickAldewereld wants to merge 2 commits into
CorentinTh:mainfrom
NickAldewereld:fix/ci-workflow-input-injection
Open

fix(ci): avoid shell injection from workflow_dispatch input#476
NickAldewereld wants to merge 2 commits into
CorentinTh:mainfrom
NickAldewereld:fix/ci-workflow-input-injection

Conversation

@NickAldewereld

Copy link
Copy Markdown

cd-docker-release.yaml interpolates a workflow_dispatch input straight into a run: script:

run: echo "RELEASE_VERSION=${{ github.event.inputs.release_version }}" >> $GITHUB_ENV

That is the textbook shell-injection pattern. It requires write access to trigger, so the risk is self-inflicted only, but it's easy to fix by routing the value through an env: var and referencing it as a shell variable instead.

…polation

Interpolating ${{ github.event.inputs.release_version }} straight into a
run: script is the textbook shell-injection pattern; route it through an
env var and reference it as a shell variable instead.
…ocker job

Third-party actions were referenced by mutable tags, so a retagged
release would run unreviewed code with the workflow's token. Pin every
action to a full commit SHA, matching the existing actions/checkout pin.

The workflow also granted packages:write to all four jobs while only
docker-release pushes images. Move it down to that job so the npm
publish jobs run without registry write access.
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant