From 1ccaf4b635a55e9311251c06cb0d2c1267bc0510 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Sun, 29 Mar 2026 21:30:55 +0000
Subject: [PATCH] fix: Prevent script injection in platform-check action

Fixes ENG-7182 (parent: VULN-1389)

Move input parameters from direct script interpolation to environment
variables to prevent potential code injection attacks. This follows
GitHub Actions security best practices by treating user input as
untrusted and isolating it through environment variables.

Changes:
- Add env block with PLATFORM, SAMPLE_CHANGED, NEEDS_IOS, NEEDS_ANDROID, NEEDS_WEB
- Remove ${{ inputs.* }} interpolations from script body
- Update case statement to use environment variables

References:
- https://linear.app/getsentry/issue/VULN-1389
- https://linear.app/getsentry/issue/ENG-7182
- https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/actions/platform-check/action.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/actions/platform-check/action.yml b/.github/actions/platform-check/action.yml
index aa422cdd76..7792bc8f83 100644
--- a/.github/actions/platform-check/action.yml
+++ b/.github/actions/platform-check/action.yml
@@ -32,10 +32,13 @@ runs:
     - name: Check if platform is needed
       id: check
       shell: bash
+      env:
+        PLATFORM: ${{ inputs.platform }}
+        SAMPLE_CHANGED: ${{ inputs.sample_changed }}
+        NEEDS_IOS: ${{ inputs.needs_ios }}
+        NEEDS_ANDROID: ${{ inputs.needs_android }}
+        NEEDS_WEB: ${{ inputs.needs_web }}
       run: |
-        PLATFORM="${{ inputs.platform }}"
-        SAMPLE_CHANGED="${{ inputs.sample_changed }}"
-
         if [[ "$SAMPLE_CHANGED" == "true" ]]; then
           echo "skip=false" >> "$GITHUB_OUTPUT"
           echo "Sample app changed — building/testing $PLATFORM."
@@ -44,9 +47,9 @@ runs:
 
         # macOS uses the iOS change-detection flag
         case "$PLATFORM" in
-          ios|macos) NEEDS="${{ inputs.needs_ios }}" ;;
-          android)   NEEDS="${{ inputs.needs_android }}" ;;
-          web)       NEEDS="${{ inputs.needs_web }}" ;;
+          ios|macos) NEEDS="$NEEDS_IOS" ;;
+          android)   NEEDS="$NEEDS_ANDROID" ;;
+          web)       NEEDS="$NEEDS_WEB" ;;
           *)
             echo "::warning::Unknown platform '$PLATFORM' — not skipping."
             echo "skip=false" >> "$GITHUB_OUTPUT"