Skip to content

Commit 6a01be7

Browse files
kevinjqliugithub-advanced-security[bot]blackmwk
authored
Potential fix for code scanning alert no. 1: Cache Poisoning via low-privileged code injection (#2164)
Potential fix for [https://github.com/apache/iceberg-rust/security/code-scanning/1](https://github.com/apache/iceberg-rust/security/code-scanning/1) To fix the issue, pass `github.event.workflow_run.head_branch` into the shell as an environment variable instead of interpolating it directly in the script, and then reference only the environment variable inside the `run` block. This follows the safer pattern from the “Secure Workflow” example, where GitHub expressions are resolved into environment variables and then treated as inert data. Concretely, update the `Validate release tag format` step: - Add an `env:` section with two variables: - `DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}` - `RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}` - Replace the direct usages of `${{ github.event.inputs.release_tag }}` and `${{ github.event.workflow_run.head_branch }}` in the shell script with `$DISPATCH_RELEASE_TAG` and `$RUN_HEAD_BRANCH` respectively. This change is all within `.github/workflows/release_python.yml`, in the `validate-release-tag` job, `Validate release tag format` step. No new methods, external definitions, or imports are required. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ ### Tested On fork repo github action run: https://github.com/kevinjqliu/iceberg-rust/actions/runs/22290533306 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: blackmwk <liurenjie1024@outlook.com>
1 parent d84ae17 commit 6a01be7

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

.github/workflows/release_python.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,14 @@ jobs:
5555
# Use input for workflow_dispatch, otherwise use `workflow_run.head_branch`
5656
# Note, `workflow_run.head_branch` does not contain `refs/tags/` prefix, just the tag name, i.e. `v0.4.0` or `v0.4.0-rc.1`
5757
# Valid formats: v<major>.<minor>.<patch> OR v<major>.<minor>.<patch>-rc.<release_candidate>
58+
env:
59+
DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
60+
RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
5861
run: |
5962
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
60-
RELEASE_TAG="${{ github.event.inputs.release_tag }}"
63+
RELEASE_TAG="$DISPATCH_RELEASE_TAG"
6164
else
62-
RELEASE_TAG="${{ github.event.workflow_run.head_branch }}"
65+
RELEASE_TAG="$RUN_HEAD_BRANCH"
6366
fi
6467
echo "Validating release tag: $RELEASE_TAG"
6568
if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then

0 commit comments

Comments
 (0)