From ad8c55b7497e26ad98306a5f1377ff43e2626771 Mon Sep 17 00:00:00 2001 From: "pkanoongo@turo.com" Date: Mon, 20 Oct 2025 17:52:32 -0500 Subject: [PATCH 1/2] fix: prevent shell injection in GitHub Actions workflows - SEC-4316 --- release-poetry-package/action.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/release-poetry-package/action.yaml b/release-poetry-package/action.yaml index e28ffc3..9d70944 100644 --- a/release-poetry-package/action.yaml +++ b/release-poetry-package/action.yaml @@ -79,18 +79,22 @@ runs: - name: Update package version (non-poetry) if: hashFiles('poetry.lock') != '' && steps.version.outputs.new_release_published != 'false' shell: bash + env: + NEW_RELEASE_VERSION: ${{ steps.version.outputs.new_release_version }} + GIT_USER_NAME: ${{ inputs.git-user-name }} + GIT_USER_EMAIL: ${{ inputs.git-user-email }} run: | # Use poetry to bump the version in pyproject.toml - poetry version "${{ steps.version.outputs.new_release_version }}" + poetry version "$NEW_RELEASE_VERSION" # Specify the user name and email which is required to commit with a token auth - git config user.email "${{ inputs.git-user-name }}" - git config user.name "${{ inputs.git-user-email }}" + git config user.email "$GIT_USER_NAME" + git config user.name "$GIT_USER_EMAIL" # Commit the bumped project version with a non-semver chore: commit message git add pyproject.toml git --no-pager diff --staged - git commit --author="${{ inputs.git-user-name }} <${{ inputs.git-user-email }}>" -m "chore: release ${{ steps.version.outputs.new_release_version }}" -m "[skip actions]" + git commit --author="$GIT_USER_NAME <$GIT_USER_EMAIL>" -m "chore: release $NEW_RELEASE_VERSION" -m "[skip actions]" # Push the changes to the current (should be main) branch, if this is not a dry-run # TODO: This might not be super safe, we should consider that this could From d1c28c87be56a427327d858d99b9c8fce4fb863e Mon Sep 17 00:00:00 2001 From: "pkanoongo@turo.com" Date: Mon, 20 Oct 2025 19:16:12 -0500 Subject: [PATCH 2/2] fix: additional shell injection vulnerabilities in version update step - Add env var for inputs.dry-run - Fix lines 104 and 109 with proper env variable usage - Semgrep findings: yaml.github-actions.security.run-shell-injection Jira: SEC-4316 --- release-poetry-package/action.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/release-poetry-package/action.yaml b/release-poetry-package/action.yaml index 9d70944..5520a10 100644 --- a/release-poetry-package/action.yaml +++ b/release-poetry-package/action.yaml @@ -83,6 +83,7 @@ runs: NEW_RELEASE_VERSION: ${{ steps.version.outputs.new_release_version }} GIT_USER_NAME: ${{ inputs.git-user-name }} GIT_USER_EMAIL: ${{ inputs.git-user-email }} + DRY_RUN: ${{ inputs.dry-run }} run: | # Use poetry to bump the version in pyproject.toml poetry version "$NEW_RELEASE_VERSION" @@ -101,12 +102,12 @@ runs: # be broken with beta/alpha releases, and might need an explicit check # somehow to ensure we're not releasing poorly against a branch that # shouldn't do so - if [[ "${{ inputs.dry-run }}" == "false" ]]; then + if [[ "$DRY_RUN" == "false" ]]; then git push || { echo "::error:: Failed to push version update for pyproject.toml, check your github-token permissions, or branch protections."; exit 1; } fi # Nice logging, generate success exit code from this run step - echo "::notice::Version successfully updated in pyproject.toml to ${{ steps.version.outputs.new_release_version }}." + echo "::notice::Version successfully updated in pyproject.toml to $NEW_RELEASE_VERSION." - name: Release id: release if: steps.version.outputs.new_release_published == 'true'