Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989
Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989PeterDaveHello wants to merge 1 commit into
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThe Firefox metadata update workflow step now validates that ChangesWorkflow Version Validation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoHarden Firefox metadata GitHub Action against command injection
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
1. Implicit bash dependency
|
| run: | | ||
| if [[ ! "$FIREFOX_METADATA_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "Firefox version must use x.y.z semver format" >&2 | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
1. Implicit bash dependency 🐞 Bug ⚙ Maintainability
此步驟新增了 bash 專用的 [[ ... =~ ... ]] 正則判斷,但 workflow/step 未明確指定 shell: bash,未來若 workflow 預設 shell 被調整(或重用到非 bash 環境)會導致語法錯誤而使更新步驟失敗。
Agent Prompt
### Issue description
The workflow step relies on bash-specific syntax (`[[ ... =~ ... ]]`) but does not explicitly pin the shell. This creates a portability/maintenance hazard: if the workflow’s default shell changes or the job is later adapted to a different runner/shell, the step may fail with a syntax error.
### Issue Context
The current step uses `[[` and `=~` for regex validation. These are not POSIX `sh` features.
### Fix Focus Areas
- .github/workflows/firefox-metadata.yml[30-36]
### Suggested fix
Add `shell: bash` to the step (or define `defaults: run: shell: bash` for the job/workflow), **or** rewrite the validation in POSIX-compatible `sh` (e.g., using `case`/`grep -E`).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
There was a problem hiding this comment.
Pull request overview
This pull request hardens the Firefox metadata GitHub Actions workflow against command injection by ensuring the user-provided workflow_dispatch version input is treated as data (not shell code) and is validated before use.
Changes:
- Routes the
inputs.versionvalue through an environment variable and references it as"$FIREFOX_METADATA_VERSION"in the shell step. - Adds strict
x.y.zsemantic version validation (^[0-9]+\.[0-9]+\.[0-9]+$) and fails fast on invalid input.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Motivation
.github/workflows/firefox-metadata.ymldirectly expandsworkflow_dispatch.inputs.versioninto a shellrunstep, which can lead to command injection and potentially exposeFIREFOX_*secrets.Description
FIREFOX_METADATA_VERSIONenvironment variable and reference it in the shell as"$FIREFOX_METADATA_VERSION"to prevent GitHub Actions expressions from being expanded before shell parsing.^[0-9]+\.[0-9]+\.[0-9]+$) before runningnpm run release:update-firefox-metadata. The step is aborted if the input does not match the required format..github/workflows/firefox-metadata.yml.Testing
npm test; all automated unit tests passed with no failures.npm run lint; static analysis passed with no lint errors.npm run buildand verified that the expected artifacts exist inbuild/chromium/, and thatgit diff --checkreported no issues.Codex Task
Summary by CodeRabbit