fix: prevent command injection in release workflow #442
Conversation
Mitigate remote code execution in release-build.yml where unsanitized user input could execute arbitrary commands and expose secrets. - Add input validation for semantic versioning format - Use environment variables instead of direct interpolation
.github/workflows/release-build.yml
Outdated
| fi | ||
| - name: Build and test | ||
| run: ./gradlew build -Prelease.version=${{ github.event.inputs.version }} --stacktrace | ||
| run: ./gradlew build -Prelease.version="${RELEASE_VERSION}" --stacktrace |
There was a problem hiding this comment.
Sanity check: should this not be "$RELEASE_VERSION" - similar to https://github.com/aws-observability/aws-otel-go/pull/280/files
There was a problem hiding this comment.
Could you please elaborate? "$RELEASE_VERSION" is an intermediate environment variable, similar to "$TARGET_SHA" in your PR. Why shouldn't it be used?
There was a problem hiding this comment.
You are doing "${RELEASE_VERSION}", does that work the same as "$RELEASE_VERSION"
There was a problem hiding this comment.
No functional difference here, but "${RELEASE_VERSION}" is cleaner and safer in general.
3.5.3 Shell Parameter Expansion
https://www.gnu.org/software/bash/manual/bash.html#Shell-Parameter-Expansion-1
There was a problem hiding this comment.
In my opinion, we should keep the style consistent with our other repos. It looks we don't use braces for retrieving env var in other workflows, and I vote for the no-brace style - $RELEASE_VERSION here.
There was a problem hiding this comment.
I think it's a minor point and reversible, just wanted to make sure it was functionally equivalent. Approved
There was a problem hiding this comment.
Brace is removed now.
3 participants
Mitigate remote code execution in release-build.yml where unsanitized user input could execute arbitrary commands and expose secrets.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.