ci: fix expression injection in cherry-pick.yml#16265
Open
XananasX7 wants to merge 1 commit into
Open
Conversation
The extract-labels step interpolated github.event.label.name and github.event.action directly into a run: shell script. A label name containing shell metacharacters (e.g. single quotes, semicolons) could break out of the surrounding string and execute arbitrary commands in the runner context. Move the injectable values into env: variables (EVENT_ACTION, LABEL_NAME, LABELS_JSON) and reference them as $ENV_VAR in the shell, which is the safe pattern recommended by GitHub's security hardening guide. The CHERRY_PICK_DATA JSON construction is also rewritten to use jq --arg so label/version values are always JSON-string-escaped rather than interpolated into a raw JSON literal.
Author
|
Friendly ping on this CI expression injection fix for cherry-pick.yml. Happy to address any review feedback. Thank you! |
Member
Please could you fix the DCO signoff - you need to sign the commits with a username that has signed the DCO. https://probot.github.io/apps/dco/ |
Joibel
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The extract-labels step in cherry-pick.yml interpolates
github.event.label.name and github.event.action directly into a
run: shell script without going through an env: variable:
LABEL_NAME="${{ github.event.label.name }}"
A label whose name contains shell metacharacters (single quote,
semicolon, command substitution, etc.) could break out of the
surrounding string and execute arbitrary commands in the runner.
This workflow is triggered by pull_request_target, which runs with
write access to the base repository. The risk is therefore higher
than for ordinary pull_request-triggered workflows.
Fix: move github.event.label.name, github.event.action, and the
labels JSON into env: variables (LABEL_NAME, EVENT_ACTION,
LABELS_JSON) and reference them as $VAR in the shell body.
The CHERRY_PICK_DATA JSON is also rewritten to use jq --arg so
the label and version values are always properly JSON-encoded
rather than concatenated into a raw JSON literal string.
This follows the safe pattern recommended in GitHub's security
hardening for GitHub Actions guide and enforced by tools such as
zizmor and StepSecurity Harden-Runner.
No behaviour change is intended; the output format of the labels
GITHUB_OUTPUT variable is preserved.