BUILD-10724 fix host paths#237
Conversation
SummaryThis PR refactors how host action paths are passed to shell scripts across five GitHub Actions. Instead of using an intermediate environment variable, the scripts now directly reference the input variable using GitHub Actions context. This change affects: config-gradle, config-maven, config-npm, config-pip, and get-build-number actions. The logic remains identical—if host-actions-root is provided, use it; otherwise default to the action's directory. What reviewers should knowAll changes follow the same pattern: removing the
|
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR updates several internal composite GitHub Actions to adjust how host-actions-root is read when computing local action paths (used when these actions are invoked from other local actions).
Changes:
- Remove step-level
env: HOST_ACTIONS_ROOT: ...wiring. - Read
host-actions-rootdirectly via${{ inputs.host-actions-root }}inside the bashrun:blocks when computinghost_actions_root.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| get-build-number/action.yml | Updates local-path resolution to read host-actions-root inline in the bash script. |
| config-pip/action.yml | Updates local-path resolution to read host-actions-root inline in the bash script. |
| config-npm/action.yml | Updates local-path resolution to read host-actions-root inline in the bash script. |
| config-maven/action.yml | Updates local-path resolution to read host-actions-root inline in the bash script. |
| config-gradle/action.yml | Updates local-path resolution to read host-actions-root inline in the bash script. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
Conclusion
This PR inverts a deliberate security fix: the env: → shell-variable indirection pattern that was in place is precisely the mitigation GitHub recommends for script injection. Removing it across all five actions re-opens the vulnerability the original code was written to prevent.
SonarCloud recommendations
Even though the five injection findings are not blocking a named gate condition, I strongly recommend fixing them because they are genuine BLOCKER vulnerabilities:
config-gradle/action.yml:58config-maven/action.yml:59config-npm/action.yml:61config-pip/action.yml:45get-build-number/action.yml:24
${{ inputs.host-actions-root }} is interpolated by the GitHub Actions template engine before the shell is invoked. A caller supplying a value like "; malicious-command #" would execute arbitrary shell code in the runner. The previous env: + ${HOST_ACTIONS_ROOT} pattern is exactly the mitigation GitHub documents for this class of vulnerability — it should be restored, not removed.
The host path cannot be passed as an env, it is modified by the runner hooks.