Skip to content

Commit fe4d102

Browse files
gibsondanclaude
andauthored
Mitigate template injection in release workflow (#325)
Pass `inputs.working_directory` and `github.ref_name` to the "Validate release version" step through environment variables instead of interpolating `${{ ... }}` expressions directly into the `run` shell command. `github.ref_name` is attacker-influenceable, so direct interpolation allowed shell/command injection. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent f5847f9 commit fe4d102

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

.github/workflows/template-release.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,10 @@ jobs:
4444
# -rw-r--r--@ 2.0K Oct 23 14:06 dagster_modal-0.1.2-py3-none-any.whl
4545
# -rw-r--r--@ 1.6K Oct 23 14:06 dagster_modal-0.1.2.tar.gz
4646
- name: Validate release version
47-
run: python .github/validate-release-version.py ${{ inputs.working_directory }}/dist ${{ github.ref_name }}
47+
run: python .github/validate-release-version.py "$WORKING_DIRECTORY/dist" "$REF_NAME"
48+
env:
49+
WORKING_DIRECTORY: ${{ inputs.working_directory }}
50+
REF_NAME: ${{ github.ref_name }}
4851

4952
- name: Publish
5053
working-directory: ${{ inputs.working_directory }}

0 commit comments

Comments
 (0)