Skip to content

fix(workflows): Prevent shell injection in fast-revert workflow#4210

Closed
bc-sentry wants to merge 1 commit intomasterfrom
linear.app/getsentry/issue/DI-967
Closed

fix(workflows): Prevent shell injection in fast-revert workflow#4210
bc-sentry wants to merge 1 commit intomasterfrom
linear.app/getsentry/issue/DI-967

Conversation

@bc-sentry
Copy link

@bc-sentry bc-sentry commented Mar 10, 2026

Summary

This PR fixes a shell injection vulnerability in the fast-revert.yml GitHub Actions workflow.

Vulnerability

The "comment on failure" step directly interpolates GitHub context values (${{ github.event.inputs.pr }}, ${{ github.repository }}, ${{ github.run_id }}, etc.) inside a run: block. This pattern is flagged by the Semgrep rule yaml.github-actions.security.run-shell-injection.run-shell-injection.

When GitHub context values are interpolated directly into shell commands, a malicious actor could craft input (e.g., a specially crafted PR number or repository name) that breaks out of the intended shell context and executes arbitrary commands.

Fix

Replace direct context interpolation with environment variables. The GitHub context values are safely assigned to env: variables, which are then referenced as shell variables (e.g., $GH_TOKEN, $REPO). This prevents shell injection because environment variable expansion does not allow command substitution.

References

@bc-sentry @claude
fix(workflows): Prevent shell injection in fast-revert workflow
7db2f45 
Use environment variables instead of direct GitHub context interpolation
in shell commands to prevent potential script injection attacks.

Refs: https://linear.app/getsentry/issue/DI-967

Co-Authored-By: Claude <noreply@anthropic.com>
@linear-code
Copy link

linear-code bot commented Mar 10, 2026

DI-967 Command Injection vulnerability in getsentry/self-hosted get-compose-action/action.yaml

@github-actions
Copy link

github-actions bot commented Mar 10, 2026

Changelog Preview

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

  • Reorder pull images by aldy505 in #4202

Bug Fixes 🐛

  • (workflows) Prevent shell injection in fast-revert workflow by bc-sentry in #4210
  • Manual image tags rollback to nightly by aldy505 in #4204

Internal Changes 🔧

Deps

  • Bump actions/setup-node from 6.2.0 to 6.3.0 by dependabot in #4206
  • Bump getsentry/craft from 2.21.7 to 2.23.2 by dependabot in #4207
  • Bump minimatch from 9.0.5 to 9.0.7 in /_integration-test/nodejs by dependabot in #4189

🤖 This preview updates automatically when you update the PR.

@bc-sentry bc-sentry closed this Mar 10, 2026
@bc-sentry bc-sentry deleted the linear.app/getsentry/issue/DI-967 branch March 10, 2026 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Self-hosted Sentry
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bc-sentry