Fix potential security issue with variable interpolation in the run step #64

coderabbitai · 2024-05-16T11:45:08Z

There is a potential security issue with variable interpolation in the run: step in the GitHub Actions workflow file .github/workflows/publish-central.yml.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes for the environment variable, like this: "$ENVVAR".

Suggested change:

- run: mvn versions:set -B -DnewVersion=\${{ github.event.inputs.tag }}
+ env:
+   NEW_VERSION: \${{ github.event.inputs.tag }}
+ run: mvn versions:set -B -DnewVersion="$NEW_VERSION"

Relevant PR: #63
Comment URL: here

Requested by overheadhunter.

The text was updated successfully, but these errors were encountered:

infeo · 2024-05-16T15:09:19Z

Fixed in 83a9097

Acutally fixing #64

overheadhunter · 2024-05-17T06:02:41Z

Fixed the fix in 75c56b7

infeo closed this as completed May 16, 2024

infeo added a commit that referenced this issue May 16, 2024

Update publish-central.yml

75c56b7

Acutally fixing #64

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix potential security issue with variable interpolation in the run step #64

Fix potential security issue with variable interpolation in the run step #64

coderabbitai bot commented May 16, 2024

infeo commented May 16, 2024

overheadhunter commented May 17, 2024

Fix potential security issue with variable interpolation in the run step #64

Fix potential security issue with variable interpolation in the run step #64

Comments

coderabbitai bot commented May 16, 2024

infeo commented May 16, 2024

overheadhunter commented May 17, 2024