[PR] [fix](ci) harden GitHub Actions workflows against injection and module shadowing [doris]

Thu, 21 May 2026 03:02:44 -0700 


hello-stephen opened a new pull request, #63486:
URL: https://github.com/apache/doris/pull/63486

   ## Problem
   
   Two security issues in GitHub Actions workflows:
   
   **1. Expression injection — `comment-to-trigger-teamcity.yml`**
   
   `COMMENT_REPEAT_TIMES` was extracted from the PR comment body via an 
unanchored regex (`grep -E` uses substring matching, so `( [1-9]*[0-9]+)*` can 
match zero times). The raw value was then written directly to `$GITHUB_OUTPUT` 
without validation. Subsequent steps interpolate it as `${{ 
steps.parse.outputs.COMMENT_REPEAT_TIMES }}` inside `run:` blocks, which GitHub 
Actions evaluates **before** the shell runs — equivalent to string-splicing 
untrusted input into a shell script.
   
   Any user who can comment on an open PR could inject shell commands into the 
runner.
   
   **2. Python module shadowing — `license-eyes.yml`**
   
   The `pull_request_target` workflow checks out the fork's HEAD and runs 
`python3` with an inline heredoc. Python's `sys.path` includes `''` (the 
current working directory) by default, so a fork-supplied `yaml.py` at the repo 
root would be imported instead of the stdlib `yaml` module. Combined with 
`pull_request_target`'s elevated permissions, this allows arbitrary code 
execution.
   
   ## Fix
   
   - **`comment-to-trigger-teamcity.yml`**: validate `COMMENT_REPEAT_TIMES` is 
a non-negative integer (or empty) immediately after extraction, before writing 
to `$GITHUB_OUTPUT`. Non-numeric values are discarded.
   - **`license-eyes.yml`**: add `persist-credentials: false` to the fork 
checkout; strip `''` and `'.'` from `sys.path` before `import yaml` to prevent 
local module shadowing.
   
   ## Test
   
   Workflow logic is unchanged for valid inputs. The validation only affects 
malformed `COMMENT_REPEAT_TIMES` values (non-numeric strings), which had no 
defined behavior before.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to