From 785261c7b996184f0f5188485bb8584e95c5f5e9 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 23 May 2026 21:58:31 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20c?= =?UTF-8?q?ommand=20injection=20in=20GitHub=20Action=20workflows?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Map untrusted GitHub context variables to environment variables to prevent command injection in: - enforce-branch-naming.yml - pr-description-quality-enforcer.yml - update-contributors-from-prs.yml Also added .Jules/sentinel.md to document the vulnerability pattern. Co-authored-by: christopherfoxjr <213370400+christopherfoxjr@users.noreply.github.com> --- .Jules/sentinel.md | 5 +++++ .github/workflows/enforce-branch-naming.yml | 4 +++- .github/workflows/pr-description-quality-enforcer.yml | 4 +++- .github/workflows/update-contributors-from-prs.yml | 4 +++- 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 .Jules/sentinel.md diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md new file mode 100644 index 00000000..e7de2a14 --- /dev/null +++ b/.Jules/sentinel.md @@ -0,0 +1,5 @@ +## 2025-05-14 - [Command Injection in GitHub Actions] + +**Vulnerability:** Direct expansion of untrusted GitHub context variables (e.g., `github.event.pull_request.body`, `github.head_ref`, `github.event.pull_request.user.login`) in `run` steps. +**Learning:** Untrusted input from pull requests can contain shell-metacharacters that execute arbitrary commands when expanded directly into a shell script. +**Prevention:** Always map untrusted GitHub context variables to environment variables and reference the environment variables in the `run` script. diff --git a/.github/workflows/enforce-branch-naming.yml b/.github/workflows/enforce-branch-naming.yml index 52331fd7..02a71dfc 100644 --- a/.github/workflows/enforce-branch-naming.yml +++ b/.github/workflows/enforce-branch-naming.yml @@ -11,4 +11,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Validate - run: echo "Branch is ${{ github.head_ref }}" + env: + HEAD_REF: ${{ github.head_ref }} + run: echo "Branch is $HEAD_REF" diff --git a/.github/workflows/pr-description-quality-enforcer.yml b/.github/workflows/pr-description-quality-enforcer.yml index 58a353d8..12b431b9 100644 --- a/.github/workflows/pr-description-quality-enforcer.yml +++ b/.github/workflows/pr-description-quality-enforcer.yml @@ -22,8 +22,10 @@ jobs: with: persist-credentials: false - name: Validate PR Description + env: + PR_BODY: ${{ github.event.pull_request.body }} run: | - BODY="${{ github.event.pull_request.body }}" + BODY="$PR_BODY" LENGTH=${#BODY} if [ "$LENGTH" -lt 50 ]; then echo "PR description is too short ($LENGTH characters). Please provide more context." diff --git a/.github/workflows/update-contributors-from-prs.yml b/.github/workflows/update-contributors-from-prs.yml index 1ef8d64d..3e141244 100644 --- a/.github/workflows/update-contributors-from-prs.yml +++ b/.github/workflows/update-contributors-from-prs.yml @@ -14,8 +14,10 @@ jobs: steps: - uses: actions/checkout@v4 - name: Add Contributor + env: + PR_USER: ${{ github.event.pull_request.user.login }} run: | - USER="${{ github.event.pull_request.user.login }}" + USER="$PR_USER" grep -q "$USER" ACKNOWLEDGMENTS.md || { echo "- $USER" >> ACKNOWLEDGMENTS.md git config user.name "KibaBot" From a2f5b201cfefb4f3b766389023b42743aa69e604 Mon Sep 17 00:00:00 2001 From: KibaBot Date: Sat, 23 May 2026 22:00:23 +0000 Subject: [PATCH 2/2] docs: update workflows manual --- WORKFLOWS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WORKFLOWS.md b/WORKFLOWS.md index 71d43cba..0f850c4c 100644 --- a/WORKFLOWS.md +++ b/WORKFLOWS.md @@ -1,5 +1,5 @@ # GitHub Workflows Manual -Generated on Sat May 23 03:05:55 UTC 2026 +Generated on Sat May 23 22:00:21 UTC 2026 | Workflow Name | File Path | |---------------|-----------|