Skip to content

chore(security): prevent script and commit-message injections #512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
olivermeyer merged 4 commits into from
Mar 27, 2026
Merged

chore(security): prevent script and commit-message injections #512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f3f627d
fix(ci): prevent script injection in run-tests action
olivermeyer Mar 26, 2026
835e5ab
fix(ci): prevent commit-message injection in ci-cd workflow
olivermeyer Mar 26, 2026
deb91ac
fix(ci): prevent script injection in package-publish workflow
olivermeyer Mar 26, 2026
441bf61
fix(ci): prevent script injection in build-native-only workflow
olivermeyer Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions .github/actions/run-tests/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,12 @@ runs:
(!contains(inputs.commit-message, 'skip:test:all')) &&
(!contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
shell: bash
env:
MAKE_TARGET: ${{ inputs.make-target }}
SUMMARY_TITLE: ${{ inputs.summary-title }}
run: |
set +e
make ${{ inputs.make-target }}
make $MAKE_TARGET
EXIT_CODE=$?
# Show test execution in GitHub Job summary
found_files=0
Expand All @@ -44,7 +47,7 @@ runs:
fi
done
if [ $found_files -eq 0 ]; then
echo "# ${{ inputs.summary-title }}" >> $GITHUB_STEP_SUMMARY
echo "# $SUMMARY_TITLE" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
# Show test coverage in GitHub Job summary
Expand Down
20 changes: 14 additions & 6 deletions .github/workflows/_package-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,9 @@ jobs:

- name: Print the release notes
shell: bash
run: cat "${{ steps.git-cliff.outputs.changelog }}"
env:
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
run: cat "$GIT_CLIFF_CHANGELOG"

- name: Build distribution into dist/
shell: bash
Expand Down Expand Up @@ -202,23 +204,27 @@ jobs:
(!contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REF_NAME: ${{ github.ref_name }}
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
shell: bash
run: |
rm -rf ./test-results/coverage_html
gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \
--notes-file ${{ steps.git-cliff.outputs.changelog }}
gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/* \
--notes-file "$GIT_CLIFF_CHANGELOG"

- name: Create GitHub release (no test results)
if: |
(contains(inputs.commit_message, 'skip:test:all')) ||
(contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REF_NAME: ${{ github.ref_name }}
GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
shell: bash
run: |
rm -rf ./test-results/coverage_html
gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./audit-results/* \
--notes-file ${{ steps.git-cliff.outputs.changelog }}
gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./audit-results/* \
--notes-file "$GIT_CLIFF_CHANGELOG"

- name: Inform Sentry about release
uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0
Expand All @@ -233,10 +239,12 @@ jobs:
- name: Convert release notes from Markdown to Slack mrkdwn
id: slack-notes
shell: bash
env:
GIT_CLIFF_CONTENT: ${{ steps.git-cliff.outputs.content }}
run: |
# Convert Markdown links [text](url) to Slack mrkdwn <url|text>
# Convert bold **text** to *text*
SLACK_RELEASE_NOTES=$(echo '${{ toJSON(steps.git-cliff.outputs.content) }}' | \
SLACK_RELEASE_NOTES=$(printf '%s\n' "$GIT_CLIFF_CONTENT" | \
sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' | \
sed -E 's/\*\*([^*]+)\*\*/*\1*/g')
Comment on lines +242 to 249
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

steps.slack-notes.outputs.content is later inserted into the Slack payload without surrounding quotes (line 262). Previously this step used toJSON(...), so the output was already a JSON-escaped string literal; after switching to printf of raw content, the output will contain unescaped characters/newlines, which will likely make the payload invalid (and can break the Slack announcement step). Consider JSON-encoding the converted notes before writing them to $GITHUB_OUTPUT, or update the payload to quote/escape the value consistently.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@arne-aignx arne-aignx Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olivermeyer Is this a Markdown output or a JSON output?
As far as I know, it's markdown and we can ignore this comment

echo "content<<SLACKEOF" >> "$GITHUB_OUTPUT"
Expand Down
17 changes: 12 additions & 5 deletions .github/workflows/build-native-only.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,17 @@ jobs:
- name: Get commit message
id: get-commit-message
shell: bash
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
# For PR events, get the commit message from the PR head SHA
COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }})
COMMIT_MESSAGE=$(git log -1 --format=%B "$PR_HEAD_SHA")
else
# For push events, use the head commit message
COMMIT_MESSAGE="${{ github.event.head_commit.message }}"
COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE"
fi
# Export for use in other steps (multiline-safe)
# Use printf with %s to avoid interpreting special characters
Expand All @@ -56,9 +60,12 @@ jobs:
steps:
- name: Check if workflow should run
id: check
env:
COMMIT_HAS_MARKER: ${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }}
PR_HAS_MARKER: ${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }}
run: |
if [[ "${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }}" == "true" ]] || \
[[ "${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }}" == "true" ]]; then
if [[ "$COMMIT_HAS_MARKER" == "true" ]] || \
[[ "$PR_HAS_MARKER" == "true" ]]; then
echo "should_run=true" >> $GITHUB_OUTPUT
echo "✅ Workflow triggered: Found 'build:native:only' in commit message or PR labels"
else
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,17 @@ jobs:
- name: Get commit message
id: get-commit-message
shell: bash
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
# For PR events, get the commit message from the PR head SHA
COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }})
COMMIT_MESSAGE=$(git log -1 --format=%B $PR_HEAD_SHA)
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quote $PR_HEAD_SHA in the git log call (as done in build-native-only.yml) to avoid word-splitting/globbing and keep the shell style consistent.

Suggested change
COMMIT_MESSAGE=$(git log -1 --format=%B $PR_HEAD_SHA)
COMMIT_MESSAGE=$(git log -1 --format=%B "$PR_HEAD_SHA")

Copilot uses AI. Check for mistakes.
else
# For push events, use the head commit message
COMMIT_MESSAGE='${{ github.event.head_commit.message }}'
COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE"
fi
# Export for use in other steps (multiline-safe)
# Use printf with %s to avoid interpreting special characters
Expand Down
Loading