From 3e2c7fdddeb80902de3904d27970232b2ca39cef Mon Sep 17 00:00:00 2001 From: Manish Gupta Date: Tue, 30 Jun 2026 11:29:54 +0530 Subject: [PATCH 1/2] [WEB-7945] fix(security): prevent shell injection in feature-deployment.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bind `github.event.inputs.base_tag_name` and `env.TARGET_BRANCH` to step-level env vars (INPUT_BASE_TAG_NAME, GH_TARGET_BRANCH) and reference them as shell variables in the run: script instead of interpolating ${{ }} expressions inline. GitHub Actions expands ${{ }} before the shell executes, so a crafted base_tag_name value could inject arbitrary commands into the runner context (GHSA-gfj7-g3wj-2p5f). Using env: breaks the injection path — the value is set as a process environment variable, never as raw shell text. Co-authored-by: Plane AI --- .github/workflows/feature-deployment.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/feature-deployment.yml b/.github/workflows/feature-deployment.yml index c0740c517b4..cd7432f6ba1 100644 --- a/.github/workflows/feature-deployment.yml +++ b/.github/workflows/feature-deployment.yml @@ -29,21 +29,27 @@ jobs: steps: - id: set_env_variables name: Set Environment Variables + env: + # Bind user-controlled workflow inputs and branch refs to env vars so + # they are never string-interpolated into the shell script by GitHub + # Actions (prevents expression-injection / shell-injection). + INPUT_BASE_TAG_NAME: ${{ github.event.inputs.base_tag_name }} + GH_TARGET_BRANCH: ${{ env.TARGET_BRANCH }} run: | echo "BUILDX_DRIVER=docker-container" >> $GITHUB_OUTPUT echo "BUILDX_VERSION=latest" >> $GITHUB_OUTPUT echo "BUILDX_PLATFORMS=linux/amd64" >> $GITHUB_OUTPUT echo "BUILDX_ENDPOINT=" >> $GITHUB_OUTPUT - if [ "${{ github.event.inputs.base_tag_name }}" != "" ]; then - echo "AIO_BASE_TAG=${{ github.event.inputs.base_tag_name }}" >> $GITHUB_OUTPUT + if [ "$INPUT_BASE_TAG_NAME" != "" ]; then + echo "AIO_BASE_TAG=$INPUT_BASE_TAG_NAME" >> $GITHUB_OUTPUT else echo "AIO_BASE_TAG=develop" >> $GITHUB_OUTPUT fi - echo "TARGET_BRANCH=${{ env.TARGET_BRANCH }}" >> $GITHUB_OUTPUT + echo "TARGET_BRANCH=$GH_TARGET_BRANCH" >> $GITHUB_OUTPUT - FLAT_BRANCH_NAME=$(echo "${{ env.TARGET_BRANCH }}" | sed 's/[^a-zA-Z0-9]/-/g') + FLAT_BRANCH_NAME=$(echo "$GH_TARGET_BRANCH" | sed 's/[^a-zA-Z0-9]/-/g') echo "FLAT_BRANCH_NAME=$FLAT_BRANCH_NAME" >> $GITHUB_OUTPUT - id: checkout_files From 2548deba2d965b065e5796e06cb925b0647eeb14 Mon Sep 17 00:00:00 2001 From: Manish Gupta Date: Tue, 30 Jun 2026 11:44:14 +0530 Subject: [PATCH 2/2] [WEB-7945] fix: strip CR/LF from base_tag_name before writing to GITHUB_OUTPUT A newline embedded in the value would let an attacker forge additional output keys in the line-delimited $GITHUB_OUTPUT file (output injection). Strip \r and \n via tr before writing AIO_BASE_TAG, addressing the CodeRabbit finding on PR #9334. Co-authored-by: Plane AI --- .github/workflows/feature-deployment.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/feature-deployment.yml b/.github/workflows/feature-deployment.yml index cd7432f6ba1..f7ade5e169d 100644 --- a/.github/workflows/feature-deployment.yml +++ b/.github/workflows/feature-deployment.yml @@ -36,13 +36,17 @@ jobs: INPUT_BASE_TAG_NAME: ${{ github.event.inputs.base_tag_name }} GH_TARGET_BRANCH: ${{ env.TARGET_BRANCH }} run: | + # Strip CR/LF from user-supplied input to prevent $GITHUB_OUTPUT + # injection: a newline in the value would forge extra output keys. + SAFE_BASE_TAG=$(printf '%s' "$INPUT_BASE_TAG_NAME" | tr -d '\r\n') + echo "BUILDX_DRIVER=docker-container" >> $GITHUB_OUTPUT echo "BUILDX_VERSION=latest" >> $GITHUB_OUTPUT echo "BUILDX_PLATFORMS=linux/amd64" >> $GITHUB_OUTPUT echo "BUILDX_ENDPOINT=" >> $GITHUB_OUTPUT - if [ "$INPUT_BASE_TAG_NAME" != "" ]; then - echo "AIO_BASE_TAG=$INPUT_BASE_TAG_NAME" >> $GITHUB_OUTPUT + if [ "$SAFE_BASE_TAG" != "" ]; then + echo "AIO_BASE_TAG=$SAFE_BASE_TAG" >> $GITHUB_OUTPUT else echo "AIO_BASE_TAG=develop" >> $GITHUB_OUTPUT fi