fix(ci): prevent command injection vulnerability in PR title validation [PSIRT-0974799192]#676
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 90f49636ed
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # Mock version output for testing | ||
| OUTPUT="@webex/cc-components => 1.0.0-next.999" | ||
| echo "$OUTPUT" |
There was a problem hiding this comment.
In the Deploy CD workflow for push to next, the versioning step now emits a hardcoded mock value (@webex/cc-components => 1.0.0-next.999) instead of running yarn package-tools increment. This makes publish-npm.outputs.package_versions incorrect on every real release, so downstream release comments/notifications will report the wrong package/version and changelog parameters for most deploys.
Useful? React with 👍 / 👎.
| if: false | ||
| run: yarn workspaces foreach -W --from '${{ needs.analyze-changes.outputs.yarn-recursive }}' --verbose run deploy:npm --access public --tag ${GITHUB_REF##*/} |
There was a problem hiding this comment.
The publish step is now permanently disabled with if: false, so no changed package can ever be deployed to npm in this production deploy workflow. Because this workflow still runs tagging/commenting jobs afterward, it can falsely signal successful releases while publishing nothing.
Useful? React with 👍 / 👎.
| name: Publish - Documentation | ||
| needs: [publish-npm,analyze-changes] | ||
| runs-on: ubuntu-latest | ||
| if: false # Skip for testing |
There was a problem hiding this comment.
The documentation publish job is now unconditionally disabled (if: false), which means deploy runs will stop updating docs/changelog artifacts entirely. Any release messaging that links readers to changelog content can become stale because the docs branch never receives updates.
Useful? React with 👍 / 👎.
…on [PSIRT-0974799192] Replaces bash string interpolation with github-script action to safely validate PR titles and prevent command injection attacks. Also makes scope optional and adds security hardening (Unicode normalization, control character detection, length limits).
vamshigovardhana
force-pushed
the
fix-pr-title-validation
branch
from
90f4963 to
9198e27
Compare
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
@codex review |
|
Codex Review: Didn't find any major issues. Keep them coming! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
✅ Your changes have been merged! Thank you for your contribution! 🤖 This is an automated message. For queries, please contact support. |
3 participants
Summary
github-scriptactionfix: descriptionandfix(scope): descriptionare now valid)Security Impact
The previous implementation using
TITLE="${{ github.event.pull_request.title }}"in a bashrun:block was vulnerable to command injection. Attackers could execute arbitrary code by crafting malicious PR titles with shell metacharacters.This fix uses GitHub's
github-scriptaction which safely accesses the PR title through the context object without shell interpretation.Test Plan
feat():are rejectedJira:https://jira-eng-gpk2.cisco.com/jira/browse/SPARK-793315