fix: Prevent shell injection in GitHub Actions workflow#8034
Merged
Conversation
Fix shell injection vulnerability in publish.yml by using environment variables instead of directly interpolating GitHub context data in shell commands. This prevents potential code injection attacks where untrusted user input could be executed in the runner. Changes: - Add env variables MERGE_TARGET and REPO to capture GitHub context data - Update run script to use environment variables with proper double-quoting - Prevents direct interpolation of fromJSON(steps.inputs.outputs.result) Co-Authored-By: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
BYK
approved these changes
May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a shell injection vulnerability (DI-1914) in the GitHub Actions workflow by using environment variables instead of directly interpolating GitHub context data in shell commands.
Changes
envvariablesMERGE_TARGETandREPOto capture GitHub context datarunscript to use environment variables with proper double-quotingfromJSON(steps.inputs.outputs.result)in shell commandsSecurity Impact
The previous implementation directly interpolated user-controlled GitHub context data into shell commands, which could allow an attacker to inject malicious code. This fix ensures that all GitHub context data is treated as untrusted input and properly sanitized by using environment variables.
References
🤖 Generated with fix-it-felix-sentry[bot]