Skip to content

Potential fix for code scanning alert no. 1440: Code injection #162764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

Potential fix for code scanning alert no. 1440: Code injection #162764

merged 1 commit into from
Oct 22, 2025

Conversation

@tstellar
Copy link
Collaborator

@tstellar tstellar commented Oct 10, 2025
edited
Loading

@tstellar @github-advanced-security
workflows/libcxx-run-benchmarks.yml: Fix code injection vulnerability
dcf2659 
https://github.com/llvm/llvm-project/security/code-scanning/1440

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@tstellar tstellar marked this pull request as ready for review October 10, 2025 02:54
@llvmbot llvmbot added libc++ libc++ C++ Standard Library. Not GNU libstdc++. Not libc++abi. github:workflow labels Oct 10, 2025
@llvmbot
Copy link
Member

llvmbot commented Oct 10, 2025
edited
Loading

@llvm/pr-subscribers-github-workflow

@llvm/pr-subscribers-libcxx

Author: Tom Stellard (tstellar)

Changes

Fix for: https://github.com/llvm/llvm-project/security/code-scanning/1440

This fix was automatically generated by Copilot Autofix for CodeQL. See https://docs.github.com/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning for more info.

Full diff: https://github.com/llvm/llvm-project/pull/162764.diff

1 Files Affected:

  • (modified) .github/workflows/libcxx-run-benchmarks.yml (+6-2)
diff --git a/.github/workflows/libcxx-run-benchmarks.yml b/.github/workflows/libcxx-run-benchmarks.yml
index 0379a0a1f857d..9e8f55859fc7a 100644
--- a/.github/workflows/libcxx-run-benchmarks.yml
+++ b/.github/workflows/libcxx-run-benchmarks.yml
@@ -64,17 +64,21 @@ jobs:
           path: repo # Avoid nuking the workspace, where we have the Python virtualenv
 
       - name: Run baseline
+        env:
+          BENCHMARKS: ${{ steps.vars.outputs.benchmarks }}
         run: |
           source .venv/bin/activate && cd repo
           python -m pip install -r libcxx/utils/requirements.txt
           baseline_commit=$(git merge-base ${{ steps.vars.outputs.pr_base }} ${{ steps.vars.outputs.pr_head }})
-          ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }}
+          ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed "$BENCHMARKS"
           ./libcxx/utils/consolidate-benchmarks build/baseline | tee baseline.lnt
 
       - name: Run candidate
+        env:
+          BENCHMARKS: ${{ steps.vars.outputs.benchmarks }}
         run: |
           source .venv/bin/activate && cd repo
-          ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }}
+          ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed "$BENCHMARKS"
           ./libcxx/utils/consolidate-benchmarks build/candidate | tee candidate.lnt
 
       - name: Compare baseline and candidate runs

@tstellar tstellar requested a review from ldionne October 10, 2025 02:54
boomanaiden154
boomanaiden154 approved these changes Oct 10, 2025
View reviewed changes
Copy link
Contributor

@boomanaiden154 boomanaiden154 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This is the standard way to fix this issues with how Github treats variables.

@tstellar tstellar merged commit 7102ff4 into main Oct 22, 2025
17 checks passed
@tstellar tstellar deleted the users/tstellar/salert-autofix-1440 branch October 22, 2025 02:31
Lukacma pushed a commit to Lukacma/llvm-project that referenced this pull request Oct 29, 2025
@tstellar @github-advanced-security @Lukacma
Potential fix for code scanning alert no. 1440: Code injection (llvm#…
8e49860 
…162764)

Fix for:
https://github.com/llvm/llvm-project/security/code-scanning/1440

This fix was automatically generated by Copilot Autofix for CodeQL. See
https://docs.github.com/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning
for more info.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
aokblast pushed a commit to aokblast/llvm-project that referenced this pull request Oct 30, 2025
@tstellar @github-advanced-security @aokblast
Potential fix for code scanning alert no. 1440: Code injection (llvm#…
b0741e6 
…162764)

Fix for:
https://github.com/llvm/llvm-project/security/code-scanning/1440

This fix was automatically generated by Copilot Autofix for CodeQL. See
https://docs.github.com/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning
for more info.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boomanaiden154 boomanaiden154 boomanaiden154 approved these changes

@ldionne ldionne Awaiting requested review from ldionne

Assignees

No one assigned

Labels

github:workflow libc++ libc++ C++ Standard Library. Not GNU libstdc++. Not libc++abi.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tstellar @llvmbot @boomanaiden154