From 79bc1ad942553e30e31f2c2accea061e7aaf0f58 Mon Sep 17 00:00:00 2001 From: "fix-it-felix-sentry[bot]" <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 05:53:59 +0000 Subject: [PATCH] fix(ci): Prevent command injection in ci-metadata workflow Move GitHub context interpolation into an environment variable to prevent potential command injection attacks. The github.event.pull_request.head.sha and other GitHub context data can contain arbitrary user input and should not be directly interpolated into shell scripts. References: - Parent ticket: https://linear.app/getsentry/issue/VULN-1328 - Child ticket: https://linear.app/getsentry/issue/JS-1972 - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/ci-metadata.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-metadata.yml b/.github/workflows/ci-metadata.yml index c4fca988d724..4719f13ef8ed 100644 --- a/.github/workflows/ci-metadata.yml +++ b/.github/workflows/ci-metadata.yml @@ -51,8 +51,10 @@ jobs: id: get_metadata # We need to try a number of different options for finding the head commit, because each kind of trigger event # stores it in a different location + env: + COMMIT_SHA_EXPR: ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }} run: | - COMMIT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }}) + COMMIT_SHA=$(git rev-parse --short "$COMMIT_SHA_EXPR") echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV echo "COMMIT_MESSAGE=$(git log -n 1 --pretty=format:%s $COMMIT_SHA)" >> $GITHUB_ENV