Skip to content

security: replace vulnerable webhook steps with shared input sanitizer#264

Merged
Hannah-PortSwigger merged 1 commit intomainfrom
security/shared-input-sanitizer
Mar 12, 2026
Merged

security: replace vulnerable webhook steps with shared input sanitizer#264
Hannah-PortSwigger merged 1 commit intomainfrom
security/shared-input-sanitizer

Conversation

@djpaterson
Copy link
Copy Markdown
Contributor

@djpaterson djpaterson commented Mar 10, 2026

Summary

  • Add if: github.event.repository.fork == false guard to both workflows (previously missing)
  • Allowlist integrations.zoom.us in the hardened runner for webhook delivery
  • Replace direct shell execution of user-controlled inputs (echo/curl in run: steps) with shared sanitization action (PortSwigger/shared-workflows/sanitize-inputs) and fjogeleit/http-request-action
  • Preserves existing hardened runner and trigger types (opened, reopened)

This eliminates command injection risk from malicious issue titles, PR titles, and usernames.

Test plan

  • Merge and create a test issue to verify the webhook notification is received
  • Verify the fork guard prevents workflow execution on forks
  • Verify the sanitized payload format matches what the webhook consumer expects

🤖 Generated with Claude Code

@djpaterson @claude
security: replace vulnerable webhook steps with shared input sanitizer
5a13924 
Add fork guard to both workflows (previously missing). Allowlist
integrations.zoom.us in hardened runner. Replace direct shell execution
of user-controlled inputs with shared sanitization action and
http-request-action, eliminating command injection risk.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PortSwiggerWiener
PortSwiggerWiener approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@PortSwiggerWiener PortSwiggerWiener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Hannah-PortSwigger Hannah-PortSwigger merged commit 97810d8 into main Mar 12, 2026
2 checks passed
@Hannah-PortSwigger Hannah-PortSwigger deleted the security/shared-input-sanitizer branch March 12, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hannah-PortSwigger Hannah-PortSwigger Hannah-PortSwigger approved these changes

@PortSwiggerWiener PortSwiggerWiener PortSwiggerWiener approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@djpaterson @Hannah-PortSwigger @PortSwiggerWiener