From f12c7177edea18a10fa5d9a5d284d2df7d7a0d24 Mon Sep 17 00:00:00 2001 From: "fix-it-felix-sentry[bot]" <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 14:06:17 -0800 Subject: [PATCH] fix(workflows): prevent shell injection in fast-revert workflow Use environment variables instead of direct GitHub context interpolation in run steps to prevent potential shell injection attacks. Fixes VULN-1096 Fixes STREAM-694 Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/fast-revert.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fast-revert.yml b/.github/workflows/fast-revert.yml index d31c408e..d05e6dda 100644 --- a/.github/workflows/fast-revert.yml +++ b/.github/workflows/fast-revert.yml @@ -38,11 +38,17 @@ jobs: token: ${{ steps.token.outputs.token }} - name: comment on failure + env: + GH_TOKEN: ${{ steps.token.outputs.token }} + GH_REPOSITORY: ${{ github.repository }} + GH_RUN_ID: ${{ github.run_id }} + GH_REPO_ID: ${{ github.event.repository.id }} + PR_NUMBER: ${{ github.event.number || github.event.inputs.pr }} run: | curl \ --silent \ -X POST \ - -H 'Authorization: token ${{ steps.token.outputs.token }}' \ - -d'{"body": "revert failed (conflict? already reverted?) -- [check the logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"}' \ - https://api.github.com/repositories/${{ github.event.repository.id }}/issues/${{ github.event.number || github.event.inputs.pr }}/comments + -H "Authorization: token $GH_TOKEN" \ + -d"{\"body\": \"revert failed (conflict? already reverted?) -- [check the logs](https://github.com/$GH_REPOSITORY/actions/runs/$GH_RUN_ID)\"}" \ + "https://api.github.com/repositories/$GH_REPO_ID/issues/$PR_NUMBER/comments" if: failure()