Skip to content

Fix command injection in required-field-check workflow #3642

Open
varadarajan-tw wants to merge 2 commits intomainfrom
fix/required-field-check-command-injection
Open

Fix command injection in required-field-check workflow #3642
varadarajan-tw wants to merge 2 commits intomainfrom
fix/required-field-check-command-injection

Conversation

@varadarajan-tw
Copy link
Contributor

@varadarajan-tw varadarajan-tw commented Mar 3, 2026
edited
Loading

Summary

  • Remediates OS command injection vulnerability (CWE-78) in the required-field-check GitHub Actions workflow
  • PR filenames from the GitHub API were interpolated unquoted into bash commands via ${{ }} expressions, allowing arbitrary command execution if a filename contained shell metacharacters like $()
  • Fix: output files as a JSON array, pass through an env variable (avoiding inline ${{ }} interpolation), parse safely with jq, and construct args with proper bash array quoting

JIRA - https://twilio-engineering.atlassian.net/browse/SECOPS-23951

Test plan

  • Verify the Required Field Check workflow passes on this PR
  • Confirm filenames with special characters are handled safely (no shell expansion)
  • Validate that the workflow still correctly detects new required fields on PRs that modify destination definitions

Test: Verified that filenames with shell metacharacters are treated as literals and not executed.

Input: JSON array with malicious filename

CHANGED_FILES='["file1.ts", "file$(echo INJECTED).ts", "file with spaces.ts"]'

Parse with jq (new safe method)

while IFS= read -r file; do
ARGS+=(-p "$file")
done < <(echo "$CHANGED_FILES" | jq -r '.[]')

Result:

  • file$(echo INJECTED).ts → treated as literal string, no command execution
  • file with spaces.ts → properly quoted and handled
  • All arguments correctly passed to CLI with proper escaping

🤖 Generated with Claude Code

@varadarajan-tw @claude
Fix command injection in required-field-check workflow (CWE-78)
e8f0c78 
Remediate OS command injection vulnerability where PR filenames containing
shell metacharacters (e.g., $()) could execute arbitrary commands on the
Actions runner. Untrusted filenames from the GitHub API were interpolated
unquoted into bash via ${{ }} expressions.

Fix: output files as JSON array, pass through env variable (not inline
interpolation), parse safely with jq, and build args with proper quoting.

Ref: HackerOne #3526875

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@varadarajan-tw varadarajan-tw changed the title Fix command injection in required-field-check workflow (CWE-78) Fix command injection in required-field-check workflow Mar 3, 2026
@varadarajan-tw @claude
Skip required-field warnings for new destinations and new actions
3a625c7 
New destinations have no existing customers and new actions have no
existing configurations, so adding required fields to them is safe.
Only warn when required fields are added to actions/settings that
already exist on main.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joe-ayoub-segment joe-ayoub-segment Awaiting requested review from joe-ayoub-segment

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

not-partner-eng-review (cloud) team:segment-core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@varadarajan-tw @joe-ayoub-segment