Skip to content

build: Fix command injection possibility in playwright GHA #16510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 10, 2025

Conversation

AbhiPrasad
Copy link
Member

resolves https://linear.app/getsentry/issue/FE-484

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

@AbhiPrasad AbhiPrasad requested a review from a team June 9, 2025 15:45
@AbhiPrasad AbhiPrasad self-assigned this Jun 9, 2025
@AbhiPrasad AbhiPrasad requested review from mydea and chargome and removed request for a team June 9, 2025 15:45
@AbhiPrasad AbhiPrasad marked this pull request as ready for review June 9, 2025 16:05
@AbhiPrasad AbhiPrasad merged commit 037fbef into develop Jun 10, 2025
110 of 112 checks passed
@AbhiPrasad AbhiPrasad deleted the abhi-fix-playwright-gha-cmd-injection branch June 10, 2025 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants