From 4cef62988049a600e322cc9dd7ea13c69ad3ca27 Mon Sep 17 00:00:00 2001 From: Dorin Geman Date: Wed, 11 Feb 2026 11:41:40 +0200 Subject: [PATCH] fix: prevent shell injection in workflow inputs (CWE-78) Signed-off-by: Dorin Geman --- .github/workflows/dmr-daily-check.yml | 14 +++++----- .github/workflows/promote-to-latest.yml | 32 +++++++++++++++------- .github/workflows/release.yml | 35 ++++++++++++++----------- 3 files changed, 50 insertions(+), 31 deletions(-) diff --git a/.github/workflows/dmr-daily-check.yml b/.github/workflows/dmr-daily-check.yml index 5b2e077ef..700550697 100644 --- a/.github/workflows/dmr-daily-check.yml +++ b/.github/workflows/dmr-daily-check.yml @@ -58,10 +58,11 @@ jobs: fi - name: Test model pull and run + env: + MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }} run: | - MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}" echo "Testing with model: $MODEL" - + # Test model pull echo "Pulling model..." sudo docker model pull "$MODEL" @@ -86,10 +87,11 @@ jobs: } - name: Test API endpoint + env: + MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }} run: | - MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}" echo "Testing API endpoint with model: $MODEL" - + # Test API call with curl echo "Testing API call..." RESPONSE=$(curl -s http://localhost:12434/engines/llama.cpp/v1/chat/completions \ @@ -124,9 +126,9 @@ jobs: fi - name: Test model cleanup + env: + MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }} run: | - MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}" - echo "Cleaning up test model..." sudo docker model rm "$MODEL" || echo "Model removal failed or model not found" diff --git a/.github/workflows/promote-to-latest.yml b/.github/workflows/promote-to-latest.yml index 8e223ac14..f2f6c9bbe 100644 --- a/.github/workflows/promote-to-latest.yml +++ b/.github/workflows/promote-to-latest.yml @@ -28,46 +28,60 @@ jobs: run: crane auth login index.docker.io -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_TOKEN" - name: Promote CPU images + env: + VERSION: ${{ inputs.version }} run: | echo "Promoting CPU images" - crane tag "docker/model-runner:${{ inputs.version }}" "latest" + crane tag "docker/model-runner:$VERSION" "latest" - name: Promote CUDA images + env: + VERSION: ${{ inputs.version }} run: | echo "Promoting CUDA images" - crane tag "docker/model-runner:${{ inputs.version }}-cuda" "latest-cuda" + crane tag "docker/model-runner:$VERSION-cuda" "latest-cuda" - name: Promote vLLM CUDA images + env: + VERSION: ${{ inputs.version }} run: | echo "Promoting vLLM CUDA images" - crane tag "docker/model-runner:${{ inputs.version }}-vllm-cuda" "latest-vllm-cuda" + crane tag "docker/model-runner:$VERSION-vllm-cuda" "latest-vllm-cuda" - name: Promote SGLang CUDA images + env: + VERSION: ${{ inputs.version }} run: | echo "Promoting SGLang CUDA images" - crane tag "docker/model-runner:${{ inputs.version }}-sglang-cuda" "latest-sglang-cuda" + crane tag "docker/model-runner:$VERSION-sglang-cuda" "latest-sglang-cuda" - name: Promote ROCm images + env: + VERSION: ${{ inputs.version }} run: | echo "Promoting ROCm images" - crane tag "docker/model-runner:${{ inputs.version }}-rocm" "latest-rocm" + crane tag "docker/model-runner:$VERSION-rocm" "latest-rocm" - name: Promote MUSA images + env: + VERSION: ${{ inputs.version }} run: | echo "Checking if MUSA image exists" - if crane manifest "docker/model-runner:${{ inputs.version }}-musa" > /dev/null 2>&1; then + if crane manifest "docker/model-runner:$VERSION-musa" > /dev/null 2>&1; then echo "Promoting MUSA images" - crane tag "docker/model-runner:${{ inputs.version }}-musa" "latest-musa" + crane tag "docker/model-runner:$VERSION-musa" "latest-musa" else echo "MUSA image does not exist, skipping" fi - name: Promote CANN images + env: + VERSION: ${{ inputs.version }} run: | echo "Checking if CANN image exists" - if crane manifest "docker/model-runner:${{ inputs.version }}-cann" > /dev/null 2>&1; then + if crane manifest "docker/model-runner:$VERSION-cann" > /dev/null 2>&1; then echo "Promoting CANN images" - crane tag "docker/model-runner:${{ inputs.version }}-cann" "latest-cann" + crane tag "docker/model-runner:$VERSION-cann" "latest-cann" else echo "CANN image does not exist, skipping" fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebea5b8a0..e01555dc8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,52 +62,55 @@ jobs: - name: Format tags id: tags shell: bash + env: + RELEASE_TAG: ${{ inputs.releaseTag }} + PUSH_LATEST: ${{ inputs.pushLatest }} run: | echo "cpu<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "cuda<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-cuda" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-cuda" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-cuda" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "vllm-cuda<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-vllm-cuda" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-vllm-cuda" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-vllm-cuda" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "sglang-cuda<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-sglang-cuda" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-sglang-cuda" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-sglang-cuda" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "diffusers<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-diffusers" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-diffusers" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-diffusers" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "rocm<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-rocm" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-rocm" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-rocm" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "musa<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-musa" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-musa" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-musa" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT" echo "cann<> "$GITHUB_OUTPUT" - echo "docker/model-runner:${{ inputs.releaseTag }}-cann" >> "$GITHUB_OUTPUT" - if [ "${{ inputs.pushLatest }}" == "true" ]; then + echo "docker/model-runner:$RELEASE_TAG-cann" >> "$GITHUB_OUTPUT" + if [ "$PUSH_LATEST" == "true" ]; then echo "docker/model-runner:latest-cann" >> "$GITHUB_OUTPUT" fi echo 'EOF' >> "$GITHUB_OUTPUT"