Skip to content

fix: Prevent script injection in GitHub Actions workflows #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fix-it-felix-sentry wants to merge 1 commit into
base: main
Choose a base branch
from
+30 −17
Open

fix: Prevent script injection in GitHub Actions workflows #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions sentry-cli/integration-test/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ runs:
steps:
- name: Run tests
shell: pwsh
env:
ACTION_PATH: ${{ github.action_path }}
TEST_PATH: ${{ inputs.path }}
run: |
Import-Module -Name ${{ github.action_path }}/action.psm1 -Force
Invoke-Pester -Output Detailed '${{ inputs.path }}'
Import-Module -Name "$env:ACTION_PATH/action.psm1" -Force
Invoke-Pester -Output Detailed "$env:TEST_PATH"
40 changes: 25 additions & 15 deletions updater/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,54 +73,64 @@ runs:

- name: Validate dependency name
shell: pwsh
env:
DEPENDENCY_NAME: ${{ inputs.name }}
run: |
# Validate that inputs.name contains only safe characters
if ('${{ inputs.name }}' -notmatch '^[a-zA-Z0-9_\./@\s-]+$') {
Write-Output "::error::Invalid dependency name: '${{ inputs.name }}'. Only alphanumeric characters, spaces, and _-./@ are allowed."
if ("$env:DEPENDENCY_NAME" -notmatch '^[a-zA-Z0-9_\./@\s-]+$') {
Write-Output "::error::Invalid dependency name: '$env:DEPENDENCY_NAME'. Only alphanumeric characters, spaces, and _-./@ are allowed."
Comment on lines +80 to +81
Copy link

@sentry sentry bot Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Using double-quoted environment variables in PowerShell allows for subexpression evaluation and command injection before the validation logic is executed.
Severity: CRITICAL

Suggested Fix

Replace double quotes with single quotes when referencing environment variables in PowerShell validation checks. For example, change "$env:DEPENDENCY_NAME" to '$env:DEPENDENCY_NAME'. This ensures PowerShell treats the variable's content as a literal string, preventing subexpression evaluation and command injection.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: updater/action.yml#L80-L81

Potential issue: The use of double-quoted environment variables in PowerShell, such as
`"$env:DEPENDENCY_NAME"`, allows for subexpression evaluation. If an input contains a
payload like `test$(Write-Host 'injected')`, the malicious command within `$()` is
executed before the regex validation runs. This happens because PowerShell expands the
variable and evaluates any subexpressions within it before passing the result to the
`-notmatch` operator. This vulnerability is present in the input validation steps and
subsequent script invocations, undermining the intended security fix.

Did we get this right? 👍 / 👎 to inform future reviews.

exit 1
}
Write-Output "✓ Dependency name '${{ inputs.name }}' is valid"
Write-Output "✓ Dependency name '$env:DEPENDENCY_NAME' is valid"

- name: Validate dependency path
shell: pwsh
env:
DEPENDENCY_PATH: ${{ inputs.path }}
run: |
# Validate that inputs.path contains only safe characters (including # for CMake dependencies)
if ('${{ inputs.path }}' -notmatch '^[a-zA-Z0-9_\./#-]+$') {
Write-Output "::error::Invalid dependency path: '${{ inputs.path }}'. Only alphanumeric characters and _-./# are allowed."
if ("$env:DEPENDENCY_PATH" -notmatch '^[a-zA-Z0-9_\./#-]+$') {
Write-Output "::error::Invalid dependency path: '$env:DEPENDENCY_PATH'. Only alphanumeric characters and _-./# are allowed."
exit 1
}
Write-Output "✓ Dependency path '${{ inputs.path }}' is valid"
Write-Output "✓ Dependency path '$env:DEPENDENCY_PATH' is valid"

- name: Validate changelog-entry
shell: pwsh
env:
CHANGELOG_ENTRY: ${{ inputs.changelog-entry }}
run: |
# Validate that inputs.changelog-entry is either 'true' or 'false'
if ('${{ inputs.changelog-entry }}' -notin @('true', 'false')) {
Write-Output "::error::Invalid changelog-entry value: '${{ inputs.changelog-entry }}'. Only 'true' or 'false' are allowed."
if ("$env:CHANGELOG_ENTRY" -notin @('true', 'false')) {
Write-Output "::error::Invalid changelog-entry value: '$env:CHANGELOG_ENTRY'. Only 'true' or 'false' are allowed."
exit 1
}
Write-Output "✓ Changelog-entry value '${{ inputs.changelog-entry }}' is valid"
Write-Output "✓ Changelog-entry value '$env:CHANGELOG_ENTRY' is valid"

- name: Validate pr-strategy
shell: pwsh
env:
PR_STRATEGY: ${{ inputs.pr-strategy }}
run: |
# Validate that inputs.pr-strategy is either 'create' or 'update'
if ('${{ inputs.pr-strategy }}' -notin @('create', 'update')) {
Write-Output "::error::Invalid pr-strategy value: '${{ inputs.pr-strategy }}'. Only 'create' or 'update' are allowed."
if ("$env:PR_STRATEGY" -notin @('create', 'update')) {
Write-Output "::error::Invalid pr-strategy value: '$env:PR_STRATEGY'. Only 'create' or 'update' are allowed."
exit 1
}
Write-Output "✓ PR strategy value '${{ inputs.pr-strategy }}' is valid"
Write-Output "✓ PR strategy value '$env:PR_STRATEGY' is valid"

- name: Validate post-update-script
if: ${{ inputs.post-update-script != '' }}
shell: pwsh
env:
POST_UPDATE_SCRIPT: ${{ inputs.post-update-script }}
run: |
# Validate that inputs.post-update-script contains only safe characters
if ('${{ inputs.post-update-script }}' -notmatch '^[a-zA-Z0-9_\./#\s-]+$') {
Write-Output "::error::Invalid post-update-script path: '${{ inputs.post-update-script }}'. Only alphanumeric characters, spaces, and _-./# are allowed."
if ("$env:POST_UPDATE_SCRIPT" -notmatch '^[a-zA-Z0-9_\./#\s-]+$') {
Write-Output "::error::Invalid post-update-script path: '$env:POST_UPDATE_SCRIPT'. Only alphanumeric characters, spaces, and _-./# are allowed."
exit 1
}
Write-Output "✓ Post-update script path '${{ inputs.post-update-script }}' is valid"
Write-Output "✓ Post-update script path '$env:POST_UPDATE_SCRIPT' is valid"

- name: Validate authentication inputs
shell: pwsh
Expand Down
Loading