fix(actions): prevent command injection in GHA workflow (WPB-9709)

wireapp / wire-webapp

👽 Wire for web

https://app.wire.com

GNU General Public License v3.0

1.13k stars 289 forks source link

fix(actions): prevent command injection in GHA workflow (WPB-9709) #17620

Closed lwille closed 1 month ago

lwille commented 3 months ago

Description

It was possible to run arbitrary commands in the context of the GitHub Actions workflow by using an unsanitized user input (env) in a run step.

As a best practice, we shall try to sanitize any user input, which can be done by passing it through an env var.

References

Checklist

[x] PR has been self reviewed by the author;

WPB-9709 Fix GHA pipeline command injection vulnerabilities

sonarcloud[bot] commented 3 months ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarcloud[bot] commented 1 month ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

codecov-commenter commented 1 month ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 46.59%. Comparing base (84b89bd) to head (fbf3b16). Report is 2 commits behind head on dev.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## dev #17620 +/- ## ========================================== + Coverage 46.58% 46.59% +0.01% ========================================== Files 781 781 Lines 25158 25161 +3 Branches 5753 5756 +3 ========================================== + Hits 11719 11723 +4 Misses 11964 11964 + Partials 1475 1474 -1 ```