debug: sentry-streams 0.0.56 400 upload#8436
Closed
joshuarli wants to merge 2 commits into
Closed
@sentry/warden / warden
completed
Jun 4, 2026 in 1m 41s
1 issue
Medium
workflow_dispatch `path` input injected into shell command with all production secrets in scope - `.github/workflows/publish-debug.yml:70`
The free-form path input is interpolated directly into the bash -c string (cd __repo__/${{ inputs.path }}), allowing anyone who can trigger this workflow to inject shell commands that execute with all production credentials (TWINE_PASSWORD, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GPG_PRIVATE_KEY, DOCKER_PASSWORD, etc.) in scope. Move the value to an env: variable and reference it as a shell variable instead, e.g. env: PUBLISH_PATH: ${{ inputs.path }} and cd "__repo__/$PUBLISH_PATH".
1 skill analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 1 | 1m 30s | $0.18 |
⏱ 1m 30s · 28.2k in / 4.2k out · $0.18
Loading