From b1557c4962ccc3e3ac18224843505452632af8ed Mon Sep 17 00:00:00 2001 From: "fix-it-felix-sentry[bot]" <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 05:27:57 +0000 Subject: [PATCH] fix(workflows): Prevent script injection in sentry_dogfood workflow Fixes script injection vulnerability by moving GitHub context variables to environment variables instead of direct interpolation in run scripts. This prevents potential code injection attacks where untrusted input from GitHub context (e.g., PR titles, branch names) could be used to inject malicious code into the workflow runner. Changes: - Move all GitHub context variables to env: block - Reference environment variables with double quotes in scripts - Apply fix to both iOS and Android upload steps Fixes: https://linear.app/getsentry/issue/VULN-1590 Fixes: https://linear.app/getsentry/issue/EME-1088 Co-Authored-By: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> --- .github/workflows/sentry_dogfood.yml | 86 +++++++++++++++++++--------- 1 file changed, 60 insertions(+), 26 deletions(-) diff --git a/.github/workflows/sentry_dogfood.yml b/.github/workflows/sentry_dogfood.yml index 3fd837e8..aa9be81c 100644 --- a/.github/workflows/sentry_dogfood.yml +++ b/.github/workflows/sentry_dogfood.yml @@ -33,73 +33,107 @@ jobs: mv "$EXTRACTED_PATH" ./HackerNews.xcarchive - name: Upload iOS app to Sentry + env: + # Environment variables for pull_request context + HEAD_SHA_PR: ${{ github.event.pull_request.head.sha }} + BASE_SHA_PR: ${{ github.event.pull_request.base.sha }} + HEAD_REPO_NAME_PR: ${{ github.repository }} + BASE_REPO_NAME_PR: ${{ github.repository }} + HEAD_REF_PR: ${{ github.head_ref }} + BASE_REF_PR: ${{ github.base_ref }} + PR_NUMBER: ${{ github.event.number }} + # Environment variables for push context + HEAD_SHA_PUSH: ${{ github.sha }} + HEAD_REPO_NAME_PUSH: ${{ github.repository }} + HEAD_REF_PUSH: ${{ github.ref_name }} + # Event name for conditional logic + EVENT_NAME: ${{ github.event_name }} + # Secret token + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then + if [ "$EVENT_NAME" == "pull_request" ]; then sentry-cli \ --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ + --auth-token "$SENTRY_AUTH_TOKEN" \ build \ upload \ ./HackerNews.xcarchive \ --org sentry \ --project launchpad-test-ios \ - --head-sha ${{ github.event.pull_request.head.sha }} \ - --base-sha ${{ github.event.pull_request.base.sha }} \ + --head-sha "$HEAD_SHA_PR" \ + --base-sha "$BASE_SHA_PR" \ --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --base-repo-name ${{ github.repository }} \ - --head-ref ${{ github.head_ref }} \ - --base-ref ${{ github.base_ref }} \ - --pr-number ${{ github.event.number }} \ + --head-repo-name "$HEAD_REPO_NAME_PR" \ + --base-repo-name "$BASE_REPO_NAME_PR" \ + --head-ref "$HEAD_REF_PR" \ + --base-ref "$BASE_REF_PR" \ + --pr-number "$PR_NUMBER" \ --build-configuration Release else sentry-cli \ --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ + --auth-token "$SENTRY_AUTH_TOKEN" \ build \ upload \ ./HackerNews.xcarchive \ --org sentry \ --project launchpad-test-ios \ - --head-sha ${{ github.sha }} \ + --head-sha "$HEAD_SHA_PUSH" \ --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --head-ref ${{ github.ref_name }} \ + --head-repo-name "$HEAD_REPO_NAME_PUSH" \ + --head-ref "$HEAD_REF_PUSH" \ --build-configuration Release fi - name: Upload Android app to Sentry + env: + # Environment variables for pull_request context + HEAD_SHA_PR: ${{ github.event.pull_request.head.sha }} + BASE_SHA_PR: ${{ github.event.pull_request.base.sha }} + HEAD_REPO_NAME_PR: ${{ github.repository }} + BASE_REPO_NAME_PR: ${{ github.repository }} + HEAD_REF_PR: ${{ github.head_ref }} + BASE_REF_PR: ${{ github.base_ref }} + PR_NUMBER: ${{ github.event.number }} + # Environment variables for push context + HEAD_SHA_PUSH: ${{ github.sha }} + HEAD_REPO_NAME_PUSH: ${{ github.repository }} + HEAD_REF_PUSH: ${{ github.ref_name }} + # Event name for conditional logic + EVENT_NAME: ${{ github.event_name }} + # Secret token + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then + if [ "$EVENT_NAME" == "pull_request" ]; then sentry-cli \ --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ + --auth-token "$SENTRY_AUTH_TOKEN" \ build \ upload \ ./tests/_fixtures/android/hn.aab \ --org sentry \ --project launchpad-test-android \ - --head-sha ${{ github.event.pull_request.head.sha }} \ - --base-sha ${{ github.event.pull_request.base.sha }} \ + --head-sha "$HEAD_SHA_PR" \ + --base-sha "$BASE_SHA_PR" \ --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --base-repo-name ${{ github.repository }} \ - --head-ref ${{ github.head_ref }} \ - --base-ref ${{ github.base_ref }} \ - --pr-number ${{ github.event.number }} \ + --head-repo-name "$HEAD_REPO_NAME_PR" \ + --base-repo-name "$BASE_REPO_NAME_PR" \ + --head-ref "$HEAD_REF_PR" \ + --base-ref "$BASE_REF_PR" \ + --pr-number "$PR_NUMBER" \ --build-configuration Release else sentry-cli \ --log-level=debug \ - --auth-token ${{ secrets.SENTRY_SENTRY_AUTH_TOKEN }} \ + --auth-token "$SENTRY_AUTH_TOKEN" \ build \ upload \ ./tests/_fixtures/android/hn.aab \ --org sentry \ --project launchpad-test-android \ - --head-sha ${{ github.sha }} \ + --head-sha "$HEAD_SHA_PUSH" \ --vcs-provider github \ - --head-repo-name ${{ github.repository }} \ - --head-ref ${{ github.ref_name }} \ + --head-repo-name "$HEAD_REPO_NAME_PUSH" \ + --head-ref "$HEAD_REF_PUSH" \ --build-configuration Release fi