Skip to content

fix: prevent command injection in prepare-for-release workflow#159

Merged
al-af merged 1 commit into
masterfrom
fix/command-injection-workflow
Jul 1, 2026
Merged

fix: prevent command injection in prepare-for-release workflow#159
al-af merged 1 commit into
masterfrom
fix/command-injection-workflow

Conversation

@Kobikg78

Copy link
Copy Markdown
Contributor

Summary

  • Fixes command injection vulnerability in .github/workflows/prepare-for-release-workflow.yml (SECENGSW-35)
  • Branch name (steps.vars.outputs.branch) was directly interpolated into shell run: blocks, allowing arbitrary command execution via a crafted branch name
  • Fix passes the value through an env: variable instead, so special characters are treated as data, not shell code

Changes

  • Determine release tag step: added env: BRANCH_NAME and replaced ${{ steps.vars.outputs.branch }} with ${BRANCH_NAME}
  • Commit and Push step: same pattern applied to the git push command

Backward Compatibility

No behavioral change for legitimate branch names (e.g. releases/2.5.1). The version extraction regex and git push destination are identical.

Test plan

  • Trigger the workflow from a normal releases/x.y.z branch — verify it completes successfully
  • Verify a branch with shell metacharacters in the name does not execute injected commands

Fixes: SECENGSW-35

🤖 Generated with Claude Code

Pass branch name via environment variable instead of direct shell
interpolation to prevent command injection via crafted branch names.

Fixes SECENGSW-35
@af-dudka af-dudka self-requested a review April 29, 2026 08:26
@al-af al-af merged commit 2e929d6 into master Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants