Skip to content

fix: prevent shell injection vulnerabilities (SEC-4316) #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pkanoongo merged 2 commits into from
Oct 21, 2025
+11 βˆ’6
Merged

fix: prevent shell injection vulnerabilities (SEC-4316) #76

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ad8c55b
fix: prevent shell injection in GitHub Actions workflows - SEC-4316
pkanoongo Oct 20, 2025
d1c28c8
fix: additional shell injection vulnerabilities in version update step
pkanoongo Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions release-poetry-package/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,30 +79,35 @@ runs:
- name: Update package version (non-poetry)
if: hashFiles('poetry.lock') != '' && steps.version.outputs.new_release_published != 'false'
shell: bash
env:
NEW_RELEASE_VERSION: ${{ steps.version.outputs.new_release_version }}
GIT_USER_NAME: ${{ inputs.git-user-name }}
GIT_USER_EMAIL: ${{ inputs.git-user-email }}
DRY_RUN: ${{ inputs.dry-run }}
run: |
# Use poetry to bump the version in pyproject.toml
poetry version "${{ steps.version.outputs.new_release_version }}"
poetry version "$NEW_RELEASE_VERSION"

# Specify the user name and email which is required to commit with a token auth
git config user.email "${{ inputs.git-user-name }}"
git config user.name "${{ inputs.git-user-email }}"
git config user.email "$GIT_USER_NAME"
git config user.name "$GIT_USER_EMAIL"

# Commit the bumped project version with a non-semver chore: commit message
git add pyproject.toml
git --no-pager diff --staged
git commit --author="${{ inputs.git-user-name }} <${{ inputs.git-user-email }}>" -m "chore: release ${{ steps.version.outputs.new_release_version }}" -m "[skip actions]"
git commit --author="$GIT_USER_NAME <$GIT_USER_EMAIL>" -m "chore: release $NEW_RELEASE_VERSION" -m "[skip actions]"

# Push the changes to the current (should be main) branch, if this is not a dry-run
# TODO: This might not be super safe, we should consider that this could
Comment on lines 87 to 101
Copy link

@semgrep-app semgrep-app bot Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🍰 Fixed in commit d1c28c8 🍰

# be broken with beta/alpha releases, and might need an explicit check
# somehow to ensure we're not releasing poorly against a branch that
# shouldn't do so
if [[ "${{ inputs.dry-run }}" == "false" ]]; then
if [[ "$DRY_RUN" == "false" ]]; then
git push || { echo "::error:: Failed to push version update for pyproject.toml, check your github-token permissions, or branch protections."; exit 1; }
fi

# Nice logging, generate success exit code from this run step
echo "::notice::Version successfully updated in pyproject.toml to ${{ steps.version.outputs.new_release_version }}."
echo "::notice::Version successfully updated in pyproject.toml to $NEW_RELEASE_VERSION."
- name: Release
id: release
if: steps.version.outputs.new_release_published == 'true'
Expand Down
Loading