Skip to content

Fix command injection in build workflow#4

Merged
lixen-wg2 merged 1 commit into
mainfrom
fix/workflow-command-injection
Jun 2, 2026
Merged

Fix command injection in build workflow#4
lixen-wg2 merged 1 commit into
mainfrom
fix/workflow-command-injection

Conversation

@lixen-wg2

@lixen-wg2 lixen-wg2 commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator

Untrusted values (workflow_dispatch input otp_version and the OTP-* git tag name) were interpolated directly into shell run: blocks via ${{ ... }}, allowing arbitrary command execution.

  • Pass untrusted/contextual values via env: and reference them as quoted shell variables instead of inlining ${{ ... }} in run: scripts.
  • Validate the resolved OTP version against a strict allowlist regex and fail the job on anything outside [0-9.] with an optional -rcN suffix.

Applied across build-static, build-musl and build-glibc jobs.

@lixen-wg2
Fix command injection in build workflow
6dbb0a8 
Untrusted values (workflow_dispatch input otp_version and the OTP-* git
tag name) were interpolated directly into shell run: blocks via ${{ ... }},
allowing arbitrary command execution.

- Pass untrusted/contextual values via env: and reference them as quoted
  shell variables instead of inlining ${{ ... }} in run: scripts.
- Validate the resolved OTP version against a strict allowlist regex and
  fail the job on anything outside [0-9.] with an optional -rcN suffix.

Applied across build-static, build-musl and build-glibc jobs.
@lixen-wg2 lixen-wg2 merged commit 21b5bf2 into main Jun 2, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wmnsk wmnsk wmnsk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lixen-wg2 @wmnsk