8000 ADHOC: Github workflow is vulnerable to command injection via Pull request branch name by neoskx · Pull Request #1135 · Roblox/creator-docs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

ADHOC: Github workflow is vulnerable to command injection via Pull request branch name #1135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

ADHOC: Github workflow is vulnerable to command injection via Pull request branch name #1135

wants to merge 1 commit into from

Conversation

neoskx
Copy link
@neoskx neoskx commented Jun 16, 2025
edited
Loading

To address this issue: https://roblox.atlassian.net/browse/BUGBOUNTY-1288

Changes

  1. Use Environment Variables: Move all the GitHub Actions expressions to the env section of the step
  2. Reference via Shell Variables: In the shell script, reference these as $VARIABLE_NAME instead of direct interpolation

Checks

By submitting your pull request for review, you agree to the following:

  • This contribution was created in whole or in part by me, and I have the right to submit it under the terms of this repository's open source licenses.
  • I understand and agree that this contribution and a record of it are public, maintained indefinitely, and may be redistributed under the terms of this repository's open source licenses.
  • To the best of my knowledge, all proposed changes are accurate.

AI Summary

  • Refactors GitHub Actions workflow to move expressions into the env section for safer variable handling
  • Updates shell script to use shell-style $VARIABLE_NAME syntax to prevent command injection vulnerabilities

This PR summary is AI-generated. Verify the code changes, as errors may occur, and share feedback in #code-center.
Note: The AI summary covers objective PR changes. The author must verify accuracy and add business context such as purpose, testing, and rollout plans.

Is this PR summary helpful? 👍 👎

@neoskx neoskx requested a review from a team as a code owner June 16, 2025 16:25
@neoskx neoskx requested a review from lorenmh June 16, 2025 16:25
@github-actions github-actions bot added github Changes the .github folder tools Makes non-content changes labels Jun 16, 2025
github-actions[bot]
github-actions bot reviewed Jun 16, 2025
View reviewed changes
Copy link
@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @neoskx, thanks so much for helping improve the Roblox creator documentation! Our technical writing team will review your pull request soon. In the meantime, please ensure you've read through the README.md, contribution guidelines, and style recommendations.

@neoskx neoskx closed this Jun 16, 2025
@neoskx neoskx deleted the adhoc/fix-code-injection branch June 16, 2025 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@lorenmh lorenmh Awaiting requested review from lorenmh lorenmh is a code owner automatically assigned from Roblox/creator-knowledge

Assignees
No one assigned
Labels
github Changes the .github folder tools Makes non-content changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@neoskx @neo-roblox
0