Skip to content

ci: fix expression injection in cherry-pick.yml#16265

Open
XananasX7 wants to merge 1 commit into
argoproj:mainfrom
XananasX7:fix/ci-expression-injection-cherry-pick
Open

ci: fix expression injection in cherry-pick.yml#16265
XananasX7 wants to merge 1 commit into
argoproj:mainfrom
XananasX7:fix/ci-expression-injection-cherry-pick

Conversation

@XananasX7

Copy link
Copy Markdown

The extract-labels step in cherry-pick.yml interpolates
github.event.label.name and github.event.action directly into a
run: shell script without going through an env: variable:

LABEL_NAME="${{ github.event.label.name }}"

A label whose name contains shell metacharacters (single quote,
semicolon, command substitution, etc.) could break out of the
surrounding string and execute arbitrary commands in the runner.

This workflow is triggered by pull_request_target, which runs with
write access to the base repository. The risk is therefore higher
than for ordinary pull_request-triggered workflows.

Fix: move github.event.label.name, github.event.action, and the
labels JSON into env: variables (LABEL_NAME, EVENT_ACTION,
LABELS_JSON) and reference them as $VAR in the shell body.

The CHERRY_PICK_DATA JSON is also rewritten to use jq --arg so
the label and version values are always properly JSON-encoded
rather than concatenated into a raw JSON literal string.

This follows the safe pattern recommended in GitHub's security
hardening for GitHub Actions guide and enforced by tools such as
zizmor and StepSecurity Harden-Runner.

No behaviour change is intended; the output format of the labels
GITHUB_OUTPUT variable is preserved.

The extract-labels step interpolated github.event.label.name and
github.event.action directly into a run: shell script. A label name
containing shell metacharacters (e.g. single quotes, semicolons)
could break out of the surrounding string and execute arbitrary
commands in the runner context.

Move the injectable values into env: variables (EVENT_ACTION,
LABEL_NAME, LABELS_JSON) and reference them as $ENV_VAR in the
shell, which is the safe pattern recommended by GitHub's security
hardening guide.

The CHERRY_PICK_DATA JSON construction is also rewritten to use
jq --arg so label/version values are always JSON-string-escaped
rather than interpolated into a raw JSON literal.
@XananasX7 XananasX7 requested a review from a team as a code owner June 13, 2026 19:18
@XananasX7

Copy link
Copy Markdown
Author

Friendly ping on this CI expression injection fix for cherry-pick.yml. Happy to address any review feedback. Thank you!

@Joibel Joibel self-assigned this Jul 2, 2026
@Joibel

Joibel commented Jul 2, 2026

Copy link
Copy Markdown
Member

Friendly ping on this CI expression injection fix for cherry-pick.yml. Happy to address any review feedback. Thank you!

Please could you fix the DCO signoff - you need to sign the commits with a username that has signed the DCO. https://probot.github.io/apps/dco/

@Joibel Joibel enabled auto-merge (squash) July 2, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants