Skip to content

Fix command injection vulnerability in CI workflow via untrusted fork PR #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix command injection vulnerability in CI workflow via untrusted fork PR #439

wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 26, 2025
edited
Loading

Direct interpolation of ${{ matrix.app.name }} in shell commands allows command injection from fork PRs that modify scripts/create-test-matrix.mjs.

Changes

  • Replace direct ${{ matrix.app.name }} interpolation with environment variables in shell commands
  • Quote all path references using the environment variable

Before:

- name: Run E2E Tests
  run: cd workbench/${{ matrix.app.name }} && pnpm start

After:

- name: Run E2E Tests
  run: cd "workbench/${APP_NAME}" && pnpm start
  env:
    APP_NAME: ${{ matrix.app.name }}

Jobs fixed

  • e2e-local-dev: Setup canary, Resolve symlinks, Run E2E Tests
  • e2e-local-prod: Setup canary, Run E2E Tests
  • e2e-local-postgres: Setup canary, Run E2E Tests

View original Slack conversation

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@changeset-bot
Copy link

changeset-bot bot commented Nov 26, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 272d769

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Contributor

vercel bot commented Nov 26, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
example-nextjs-workflow-turbopack Ready Ready Preview Comment Nov 26, 2025 6:21pm
example-nextjs-workflow-webpack Ready Ready Preview Comment Nov 26, 2025 6:21pm
example-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-express-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-fastify-workflow Error Error Nov 26, 2025 6:21pm
workbench-hono-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-nitro-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-nuxt-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-sveltekit-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workbench-vite-workflow Ready Ready Preview Comment Nov 26, 2025 6:21pm
workflow-docs Ready Ready Preview Comment Nov 26, 2025 6:21pm

@pranaygp pranaygp changed the title [WIP] Fix command injection in CI workflow of Workflow DevKit [WIP] Fix command injection in CI workflow Nov 26, 2025
@pranaygp
Fix command injection vulnerability in CI workflow by using environme…
272d769 
…nt variables

Replace direct interpolation of ${{ matrix.app.name }} in shell commands with environment
variables passed via the env: section. All paths are now quoted to prevent command injection
from untrusted fork PRs.

Affected jobs:
- e2e-local-dev: Setup canary, Resolve symlinks, Run E2E Tests
- e2e-local-prod: Setup canary, Run E2E Tests
- e2e-local-postgres: Setup canary, Run E2E Tests

Co-authored-by: pranaygp <[email protected]>
Copilot AI changed the title [WIP] Fix command injection in CI workflow Fix command injection vulnerability in CI workflow via untrusted fork PR Nov 26, 2025
Copilot finished work on behalf of pranaygp November 26, 2025 18:20
Copilot AI requested a review from pranaygp November 26, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pranaygp pranaygp Awaiting requested review from pranaygp

At least 1 approving review is required to merge this pull request.

Assignees

@pranaygp pranaygp

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pranaygp