fix: prevent command substitution in release tag validation#1
Merged
imnotStealthy merged 1 commit intoMay 8, 2026
Merged
Conversation
imnotStealthy
deleted the
codex/fix-shell-command-injection-in-workflow-validation
branch
There was a problem hiding this comment.
Pull request overview
Hardens the macOS release workflow against command-substitution injection by avoiding direct interpolation of the workflow_dispatch tag input into a Bash script, ensuring the tag is validated safely before proceeding in a job that can write release contents.
Changes:
- Pass
${{ inputs.tag }}into the validation step viaenv: TAGrather than embedding it directly in the Bash script. - Validate the tag using
[[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]to prevent command substitution from being evaluated.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| set -euo pipefail | ||
| [[ "${{ inputs.tag }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] | ||
| [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
${{ inputs.tag }}was interpolated directly into a Bashrunscript, which could execute$(...)before the regex check in a job withcontents: writeand laterGH_TOKENuse.Description
Validate release tag formatstep in.github/workflows/release-macos.ymlto export the input viaenv: TAG: ${{ inputs.tag }}and validate with[[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]instead of interpolating${{ inputs.tag }}directly.Testing
npm run build(TypeScript compile) andnpm test(vitest), and all tests passed. Inspect.github/workflows/release-macos.ymlto confirm theenv: TAGchange and the new[[ "$TAG" =~ ... ]]check.Codex Task