Skip to content

TPT-4056: Fix GitHub Actions script injection vulnerability#826

Merged
zliang-akamai merged 1 commit into
devfrom
fix/github-actions-script-injection
Jul 15, 2026
Merged

TPT-4056: Fix GitHub Actions script injection vulnerability#826
zliang-akamai merged 1 commit into
devfrom
fix/github-actions-script-injection

Conversation

@zliang-akamai

@zliang-akamai zliang-akamai commented Jul 14, 2026

Copy link
Copy Markdown
Member

📝 Description

Pass the workflow dispatch input through a step-level environment variable to prevent script injection without changing integration-test behavior.

@zliang-akamai
zliang-akamai requested review from a team as code owners July 14, 2026 21:20
@zliang-akamai
zliang-akamai requested review from psnoch-akamai and yec-akamai and removed request for a team July 14, 2026 21:20
@zliang-akamai zliang-akamai changed the title Fix GitHub Actions script injection vulnerability TPT-4056: Fix GitHub Actions script injection vulnerability Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates a GitHub Actions script-injection risk by avoiding direct interpolation of workflow_dispatch input values into a run: command, while keeping the integration-test invocation behavior unchanged.

Changes:

  • Route inputs.test_suite through a step-level environment variable (TEST_SUITE) instead of embedding it directly in the shell command.
  • Update the make ... test-int invocation to consume the environment variable ($TEST_SUITE) with proper quoting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zliang-akamai
zliang-akamai merged commit 44ce7d9 into dev Jul 15, 2026
18 of 19 checks passed
@zliang-akamai
zliang-akamai deleted the fix/github-actions-script-injection branch July 15, 2026 19:31
@ezilber-akamai ezilber-akamai added repo-ci-improvement for improvements in the repository or CI workflow in the changelog. security for security fixes and improvements in the changelog. and removed repo-ci-improvement for improvements in the repository or CI workflow in the changelog. labels Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

security for security fixes and improvements in the changelog.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants