Skip to content

fix(ci): sanitize PR title input to prevent shell injection #801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: stable
Choose a base branch
from
Open

fix(ci): sanitize PR title input to prevent shell injection #801

wants to merge 2 commits into from

Conversation

jennedebleser
Copy link

Description of the change

Improves security in the GitHub Actions workflow by safely extracting the new release version from the PR title. The previous implementation injected the title directly into the shell context, which could lead to command injection if the PR title was crafted maliciously.

Stricter regular expression to match semantic version patterns (e.g., X.Y.Z) and ensures proper quoting of variables to avoid unexpected behavior.

Adds quoting to all variable expansions used in echo statements to align with shell best practices.

Use $(...) notation instead of legacy backticks `...`.

Checklist

Development

  • The changes have been covered with tests, if necessary.
  • You have a green build, with the exception of the flaky tests.
  • UI and JS files are fully tested, the user interface works for all modules affected by your changes (e.g., solve and analyze buttons).
  • The network calls work for all modules affected by your changes (e.g., solving a problem).
  • The console messages are validated for all modules affected by your changes.

Code Review

  • This pull request includes an explanatory title and description.
  • The GitHub issue is linked.
  • At least one other engineer has approved the changes.
  • After PR is merged, inform the reporter.

@jennedebleser
fix(ci): sanitize PR title input to prevent shell injection in releas…
dfe8ddc 
…e version extraction

Improves security in the GitHub Actions workflow by safely extracting the new release version from the PR title. The previous implementation injected the title directly into the shell context, which could lead to command injection if the PR title was crafted maliciously.

Stricter regular expression to match semantic version patterns (e.g., X.Y.Z) and ensures proper quoting of variables to avoid unexpected behavior.

Adds quoting to all variable expansions used in echo statements to align with shell best practices.

Use $(...) notation instead of legacy backticks `...`.
@jennedebleser
fix(ci): more quoting to variable expansions used in echo statements …
03b850d 
…to align with shell best practices.
@jennedebleser jennedebleser requested review from triceo and TomCools May 16, 2025 11:56
@triceo
Copy link
Contributor

triceo commented May 16, 2025

Thanks, @jennedebleser!
Would you mind adding an explanatory comment near the env var, so that our future selves remember why this is important?

@triceo
Copy link
Contributor

triceo commented May 17, 2025

Also, please rebase this PR against the development branch.
The changes will be transferred to stable automatically during a release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@triceo triceo Awaiting requested review from triceo

@TomCools TomCools Awaiting requested review from TomCools

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jennedebleser @triceo