debug: sentry-streams 0.0.56 400 upload#8436
1 issue
security-review: Found 1 issue (1 medium)
Medium
workflow_dispatch `path` input injected into shell command with all production secrets in scope - `.github/workflows/publish-debug.yml:70`
The free-form path input is interpolated directly into the bash -c string (cd __repo__/${{ inputs.path }}), allowing anyone who can trigger this workflow to inject shell commands that execute with all production credentials (TWINE_PASSWORD, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GPG_PRIVATE_KEY, DOCKER_PASSWORD, etc.) in scope. Move the value to an env: variable and reference it as a shell variable instead, e.g. env: PUBLISH_PATH: ${{ inputs.path }} and cd "__repo__/$PUBLISH_PATH".
⏱ 1m 30s · 28.2k in / 4.2k out · $0.18
Annotations
Check warning on line 70 in .github/workflows/publish-debug.yml
sentry-warden / warden: security-review
workflow_dispatch `path` input injected into shell command with all production secrets in scope
The free-form `path` input is interpolated directly into the bash `-c` string (`cd __repo__/${{ inputs.path }}`), allowing anyone who can trigger this workflow to inject shell commands that execute with all production credentials (TWINE_PASSWORD, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GPG_PRIVATE_KEY, DOCKER_PASSWORD, etc.) in scope. Move the value to an `env:` variable and reference it as a shell variable instead, e.g. `env: PUBLISH_PATH: ${{ inputs.path }}` and `cd "__repo__/$PUBLISH_PATH"`.