fix(api-docs/sisters): close template-injection on ref in cpp/dotnet/python/typescript#71
Conversation
…python/typescript Mirrors the rust-template fix (#70) across the remaining four sister templates. Each has the same `inputs.ref || github.ref_name` inlined into a single-quoted shell literal at template-expansion time. Tag names containing a single quote (Git permits them) would break out of the literal and run arbitrary shell with the runner's checkout and DOCS_REPO_PR_TOKEN in scope. Routes the value through a step-level env: REF_RAW: instead. Each template's existing slug-substitution rules are preserved (cpp uses \@/-, typescript uses \@/<empty>, dotnet/python only normalize /); only the source of $raw changes from interpolated literal to env var. DOCS_REF_NAME / DOCS_REF_SLUG outputs are byte-identical for every input ref. Behavior unchanged.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements security hardening across several GitHub Actions workflow templates for C++, .NET, Python, and TypeScript. It replaces the direct inlining of GitHub context variables into shell scripts with environment variable indirection to prevent potential shell injection vulnerabilities from malformed ref names. I have no feedback to provide as there were no review comments.
1 participant
Summary
Mirrors #70 (rust template fix) across the remaining four sister templates. Same root cause, same remediation.
Affected templates:
Pattern (each file):
```yaml
Before
run: |
raw='${{ inputs.ref || github.ref_name }}'
After
env:
REF_RAW: ${{ inputs.ref || github.ref_name }}
run: |
raw="$REF_RAW"
```
The `${{ }}` interpolation runs at template-expansion time, before shell parsing. Tag names containing a single quote (Git permits them — only space, `~`, `^`, `:`, `?`, `*`, `[`, `\`, `..` are forbidden ref chars) would terminate the literal and inject shell. The runner has the source-tree checkout and `DOCS_REPO_PR_TOKEN` in env at that point.
Env indirection routes the value through the runner's env layer where shell metacharacters survive intact and cannot escape the variable boundary.
Per-template detail
Each template's existing slug-substitution rules are preserved unchanged:
Only the source of `$raw` changes from interpolated literal to env var. `DOCS_REF_NAME` / `DOCS_REF_SLUG` outputs are byte-identical for every input ref.
Effect on downstream
`automation/sync-templates.sh` will produce sync PRs in:
on its next run, each carrying the env-indirection patch into that repo's `.github/workflows/api-docs.yml`.
Test plan
Related