Fix shell injection vulnerability in release workflow (ENG-6554)#229
Fix shell injection vulnerability in release workflow (ENG-6554)#229fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
Conversation
Resolves command injection vulnerability by using environment variables instead of direct GitHub context interpolation in shell scripts. This prevents potential malicious code injection through user-controlled input in github.event_name and github.event.inputs.version. Changes: - Added env section with GH_EVENT_NAME and GH_INPUT_VERSION - Updated shell script to reference environment variables - Added proper quoting around variables Fixes: https://linear.app/getsentry/issue/ENG-6554 Parent: https://linear.app/getsentry/issue/VULN-1163 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
commit: |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | ||
| VERSION="${{ github.event.inputs.version }}" | ||
| if [ "$GH_EVENT_NAME" = "workflow_dispatch" ]; then | ||
| VERSION="$GH_INPUT_VERSION" |
There was a problem hiding this comment.
Shell injection persists through step output propagation
High Severity
The fix safely moves github.event.inputs.version into an env var for the "Get version" step, but the user-controlled value is immediately written to $GITHUB_OUTPUT and then used via ${{ steps.get_version.outputs.VERSION }} and ${{ needs.release.outputs.version }} with direct interpolation in run: blocks of downstream steps that lack if: push guards — including "Resolve npm tag" (line 83), "Summary" (lines 139–140), and the build_and_package_macos/build_universal_and_verify jobs. This re-introduces the same shell injection the PR aims to fix, since ${{ }} expressions are substituted into shell scripts before execution.
Summary
This PR fixes a high-severity shell injection vulnerability in the GitHub Actions release workflow.
Problem
The workflow was using direct interpolation of GitHub context data (
${{ github.event_name }}and${{ github.event.inputs.version }}) in shell scripts, which could allow an attacker to inject malicious code through user-controlled input.Solution
env:section to set environment variablesGH_EVENT_NAMEandGH_INPUT_VERSIONTesting
The workflow file syntax is valid and follows GitHub Actions best practices for security hardening.
References