Commit 060ee9d
fix(release-darwin): pass tag via env var (semgrep run-shell-injection)
Semgrep flagged 5× `yaml.github-actions.security.run-shell-injection`
in release-darwin.yml. Pattern was:
run: |
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
The `${{ github.event.inputs.tag }}` expression gets interpolated INTO
the shell script at workflow runtime — a malicious workflow_dispatch
caller could inject shell code via the `tag` input.
Fix: hoist the tag resolution into a workflow-level `env: TAG: …`,
then reference $TAG inside each shell block. Same effective value
(workflow_dispatch input wins; falls back to ref_name on tag push),
but the input never reaches a shell un-escaped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent ad888c1 commit 060ee9d
1 file changed
Lines changed: 6 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
27 | 27 | | |
28 | 28 | | |
29 | 29 | | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
30 | 36 | | |
31 | 37 | | |
32 | 38 | | |
| |||
48 | 54 | | |
49 | 55 | | |
50 | 56 | | |
51 | | - | |
52 | 57 | | |
53 | 58 | | |
54 | 59 | | |
| |||
62 | 67 | | |
63 | 68 | | |
64 | 69 | | |
65 | | - | |
66 | 70 | | |
67 | 71 | | |
68 | 72 | | |
| |||
76 | 80 | | |
77 | 81 | | |
78 | 82 | | |
79 | | - | |
80 | 83 | | |
81 | 84 | | |
82 | 85 | | |
| |||
85 | 88 | | |
86 | 89 | | |
87 | 90 | | |
88 | | - | |
89 | 91 | | |
90 | 92 | | |
91 | 93 | | |
| |||
97 | 99 | | |
98 | 100 | | |
99 | 101 | | |
100 | | - | |
101 | 102 | | |
102 | 103 | | |
103 | 104 | | |
| |||
0 commit comments