Skip to content

fix(ci): avoid shell injection from workflow_dispatch input#476

Open
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:fix/ci-workflow-input-injection
Open

fix(ci): avoid shell injection from workflow_dispatch input#476
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:fix/ci-workflow-input-injection

Conversation

@NickAldewereld

Copy link
Copy Markdown

cd-docker-release.yaml interpolates a workflow_dispatch input straight into a run: script:

run: echo "RELEASE_VERSION=${{ github.event.inputs.release_version }}" >> $GITHUB_ENV

That is the textbook shell-injection pattern. It requires write access to trigger, so the risk is self-inflicted only, but it's easy to fix by routing the value through an env: var and referencing it as a shell variable instead.

…polation

Interpolating ${{ github.event.inputs.release_version }} straight into a
run: script is the textbook shell-injection pattern; route it through an
env var and reference it as a shell variable instead.
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant