Skip to content

Comments

fix(workflows): Prevent shell injection in fast-revert workflow#556

Merged
markstory merged 1 commit intomainfrom
fix-vuln-1096-run-shell-injection
Feb 19, 2026
Merged

fix(workflows): Prevent shell injection in fast-revert workflow#556
markstory merged 1 commit intomainfrom
fix-vuln-1096-run-shell-injection

Conversation

@fix-it-felix-sentry
Copy link
Contributor

@fix-it-felix-sentry fix-it-felix-sentry bot commented Feb 18, 2026

Summary

This PR fixes a security finding by preventing potential shell injection in the fast-revert GitHub Actions workflow.

Changes

  • Modified .github/workflows/fast-revert.yml to use environment variables instead of direct GitHub context interpolation in run: steps
  • All GitHub context variables are now passed through the env: section and referenced as environment variables in the shell script
  • Added proper quoting around environment variables to prevent injection

Security Details

The original code used direct interpolation of GitHub context variables (${{ ... }}) in shell commands, which could potentially allow code injection attacks. While the specific variables used (repository ID, run ID, etc.) are likely safe, following security best practices requires using intermediate environment variables.

Before:

run: |
  curl ... -H 'Authorization: token ${{ steps.token.outputs.token }}' ...

After:

env:
  GH_TOKEN: ${{ steps.token.outputs.token }}
run: |
  curl ... -H "Authorization: token $GH_TOKEN" ...

References

Testing

  • YAML syntax validated
  • No functional changes to the workflow behavior
  • All GitHub context variables properly passed through environment variables

@fix-it-felix-sentry @claude
fix(workflows): prevent shell injection in fast-revert workflow
f12c717 
Use environment variables instead of direct GitHub context interpolation
in run steps to prevent potential shell injection attacks.

Fixes VULN-1096
Fixes STREAM-694

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fix-it-felix-sentry fix-it-felix-sentry bot requested a review from a team as a code owner February 18, 2026 22:06
@linear
Copy link

linear bot commented Feb 18, 2026

VULN-1096 Command Injection vulnerability in getsentry/taskbroker .github/workflows/fast-revert.yml

sentry[bot]
sentry bot reviewed Feb 18, 2026
View reviewed changes
.github/workflows/fast-revert.yml
Comment on lines 49 to 54
--silent \
-X POST \
-H 'Authorization: token ${{ steps.token.outputs.token }}' \
-d'{"body": "revert failed (conflict? already reverted?) -- [check the logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"}' \
https://api.github.com/repositories/${{ github.event.repository.id }}/issues/${{ github.event.number || github.event.inputs.pr }}/comments
-H "Authorization: token $GH_TOKEN" \
-d"{\"body\": \"revert failed (conflict? already reverted?) -- [check the logs](https://github.com/$GH_REPOSITORY/actions/runs/$GH_RUN_ID)\"}" \
"https://api.github.com/repositories/$GH_REPO_ID/issues/$PR_NUMBER/comments"
if: failure()
Copy link

@sentry sentry bot Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: When triggered via workflow_dispatch, the GH_REPO_ID variable is empty, causing the failure notification step to silently fail due to a malformed API URL.
Severity: MEDIUM

Suggested Fix

Ensure the repository ID is correctly sourced for all trigger types. Instead of relying on github.event.repository.id, which is not present in workflow_dispatch events, use the universally available github.repository_id context variable to populate GH_REPO_ID.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/fast-revert.yml#L49-L54

Potential issue: When the workflow is triggered via `workflow_dispatch`, the
`github.event.repository.id` context variable is unavailable. This results in the
`GH_REPO_ID` environment variable being set to an empty string. Consequently, the
'comment on failure' step constructs a malformed API URL
(`https://api.github.com/repositories//issues/...`) for its `curl` command. This causes
the API call to fail, silently preventing a failure notification comment from being
posted to the pull request if the main revert action fails. This issue only occurs with
the `workflow_dispatch` trigger.

Did we get this right? 👍 / 👎 to inform future reviews.

@markstory markstory merged commit 314be9d into main Feb 19, 2026
20 checks passed
@markstory markstory deleted the fix-vuln-1096-run-shell-injection branch February 19, 2026 14:39
@sentry-release-bot sentry-release-bot bot mentioned this pull request Feb 20, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@markstory markstory markstory approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markstory