fix: Prevent command injection in GitHub Actions workflow#1
Open
fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
Open
fix: Prevent command injection in GitHub Actions workflow#1fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
Conversation
Move inputs.rust-version and inputs.targets to environment variables to prevent potential command injection vulnerabilities. This follows GitHub security best practices for handling untrusted input in workflows. The fix: - Moves inputs to env variables (RUST_VERSION, TARGETS) - Quotes all variable usages in the shell script - Prevents direct interpolation of user-controllable values Fixes: VULN-1091 Related: EAP-400 Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a high-severity security vulnerability (command injection) in the GitHub Actions workflow by preventing direct interpolation of user-controllable input values.
Changes
inputs.rust-versionandinputs.targetsto environment variables (RUST_VERSION,TARGETS)${{ }}syntax in therun:blockSecurity Impact
The previous implementation directly interpolated
inputs.rust-versionandinputs.targetsvalues into shell commands, which could allow an attacker to inject malicious code if these inputs were compromised. This fix follows GitHub's security best practices by using intermediate environment variables.Related Issues
References