Skip to content

Fix security issues#6039

Merged
sdepassio merged 2 commits into
release-20260300from
fix-for-aikido-2
Mar 13, 2026
Merged

Fix security issues#6039
sdepassio merged 2 commits into
release-20260300from
fix-for-aikido-2

Conversation

@sdepassio
Copy link
Copy Markdown
Contributor

@sdepassio sdepassio commented Mar 13, 2026
edited by aikido-pr-checks Bot
Loading

Description

Fix issues found by Aikido Security:

  • Template Injection in GitHub Workflows Action
  • Potential user input in HTTP request may allow SSRF attack
  • Potential file inclusion attack via reading file

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Functionality enhancement or optimization (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software

How this pull request can be tested ?

Please describe the procedure to verify that the goal of the PR is matched.
Provide clear instructions so that it can be correctly tested.
Mention the automated tests included in this FOR (what they test like mode/option combinations).

Checklist

  • I have followed the coding style guidelines provided by Centreon
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have rebased my development branch on the base branch (develop).
  • In case of a new plugin, I have created the new packaging directory accordingly.
  • I have implemented automated tests related to my commits.
    • Data used for automated tests are anonymized.
  • I have reviewed all the help messages in all the .pm files I have modified.
    • All sentences begin with a capital letter.
    • All sentences end with a period.
    • I am able to understand all the help messages, if not, exchange with the PO or TW to rewrite them.
  • After having created the PR, I will make sure that all the tests provided in this PR have run and passed.

Summary by Aikido

Security Issues: 0 Quality Issues: 0 ✅ Resolved Issues: 13

⚡ Enhancements

  • Mitigated template injection by exporting inputs to env variables.
  • Replaced direct expression interpolation in HTTP calls to prevent SSRF.
  • Rewrote file and archive handling to use shell variables safely.
  • Standardized composite actions to read inputs via environment variables.

More info

@sdepassio sdepassio marked this pull request as ready for review March 13, 2026 08:08
@sdepassio sdepassio requested a review from a team as a code owner March 13, 2026 08:08
@sdepassio sdepassio requested review from kduret, mushroomempires and tuntoja and removed request for a team March 13, 2026 08:08
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 13, 2026

Logo
Checkmarx One – Scan Summary & Detailsf41059d4-de1e-4317-9a42-68263d23aa42

Great job! No new security vulnerabilities introduced in this pull request

@sdepassio sdepassio merged commit 3260ceb into release-20260300 Mar 13, 2026
87 of 89 checks passed
@sdepassio sdepassio deleted the fix-for-aikido-2 branch March 13, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuntoja tuntoja tuntoja approved these changes

@kduret kduret Awaiting requested review from kduret kduret was automatically assigned from centreon/owners-pipelines

@mushroomempires mushroomempires Awaiting requested review from mushroomempires mushroomempires was automatically assigned from centreon/owners-pipelines

Assignees

No one assigned

Labels

skip-workflow-as400 skip-workflow-nrpe skip-workflow-perl-keepass-reader skip-workflow-perl-openwsman skip-workflow-plugins skip-workflow-plugins-selinux

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sdepassio @tuntoja