Skip to content

Commit 49124d0

Browse files
authored
Prevent script injection in coverageReport workflow (#1295)
Move attacker-controlled PR body and derived step outputs from inline ${{ }} expressions to env variables, preventing shell command injection via malicious PR descriptions (e.g. PR #1290). Co-authored-by: Isaac ## Description <!-- Provide a brief summary of the changes made and the issue they aim to address.--> ## Testing <!-- Describe how the changes have been tested--> ## Additional Notes to the Reviewer <!-- Share any additional context or insights that may help the reviewer understand the changes better. This could include challenges faced, limitations, or compromises made during the development process. Also, mention any areas of the code that you would like the reviewer to focus on specifically. --> NO_CHANGELOG=true (not a user facing change)
1 parent 806ee61 commit 49124d0

1 file changed

Lines changed: 8 additions & 3 deletions

File tree

.github/workflows/coverageReport.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,10 @@ jobs:
3838

3939
- name: Check for coverage override
4040
id: override
41+
env:
42+
PR_BODY: ${{ github.event.pull_request.body }}
4143
run: |
42-
OVERRIDE_COMMENT=$(echo "${{ github.event.pull_request.body }}" | grep -E "SKIP_COVERAGE_CHECK\s*=" || echo "")
44+
OVERRIDE_COMMENT=$(echo "$PR_BODY" | grep -E "SKIP_COVERAGE_CHECK\s*=" || echo "")
4345
if [ -n "$OVERRIDE_COMMENT" ]; then
4446
echo "override=true" >> $GITHUB_OUTPUT
4547
REASON=$(echo "$OVERRIDE_COMMENT" | sed -E 's/.*SKIP_COVERAGE_CHECK\s*=\s*(.+)/\1/')
@@ -84,9 +86,12 @@ jobs:
8486
fi
8587
8688
- name: Coverage enforcement summary
89+
env:
90+
OVERRIDE: ${{ steps.override.outputs.override }}
91+
OVERRIDE_REASON: ${{ steps.override.outputs.reason }}
8792
run: |
88-
if [ "${{ steps.override.outputs.override }}" == "true" ]; then
89-
echo "⚠️ Coverage checks bypassed: ${{ steps.override.outputs.reason }}"
93+
if [ "$OVERRIDE" == "true" ]; then
94+
echo "⚠️ Coverage checks bypassed: $OVERRIDE_REASON"
9095
echo "Please ensure this override is justified and temporary"
9196
else
9297
echo "✅ Coverage checks enforced - minimum 85% required"

0 commit comments

Comments
 (0)