Skip to content

Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989

Open
PeterDaveHello wants to merge 1 commit into
masterfrom
codex/fix-command-injection-vulnerability-in-workflow
Open

Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989
PeterDaveHello wants to merge 1 commit into
masterfrom
codex/fix-command-injection-vulnerability-in-workflow

Conversation

@PeterDaveHello

@PeterDaveHello PeterDaveHello commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • Detected that .github/workflows/firefox-metadata.yml directly expands workflow_dispatch.inputs.version into a shell run step, which can lead to command injection and potentially expose FIREFOX_* secrets.
  • The goal is to eliminate the injection risk with minimal changes while preserving the existing Firefox metadata update workflow.

Description

  • Changed the workflow to pass the user input through the FIREFOX_METADATA_VERSION environment variable and reference it in the shell as "$FIREFOX_METADATA_VERSION" to prevent GitHub Actions expressions from being expanded before shell parsing.
  • Added a strict x.y.z semantic version format validation (^[0-9]+\.[0-9]+\.[0-9]+$) before running npm run release:update-firefox-metadata. The step is aborted if the input does not match the required format.
  • Modified file: .github/workflows/firefox-metadata.yml.

Testing

  • Ran npm test; all automated unit tests passed with no failures.
  • Ran npm run lint; static analysis passed with no lint errors.
  • Ran npm run build and verified that the expected artifacts exist in build/chromium/, and that git diff --check reported no issues.

Codex Task

Summary by CodeRabbit

  • Bug Fixes
    • Improved Firefox metadata update checks by validating version input before running the update, reducing failed or invalid release updates.
    • The workflow now rejects malformed version values early with a clear error.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The Firefox metadata update workflow step now validates that FIREFOX_METADATA_VERSION matches a strict x.y.z semantic version pattern before running the update command, exiting with an error if validation fails. The version is now passed via the step's env block rather than inline.

Changes

Workflow Version Validation

Layer / File(s) Summary
Add version format validation to Firefox metadata step
.github/workflows/firefox-metadata.yml
The step now validates FIREFOX_METADATA_VERSION against a semantic version regex, aborts with exit 1 on mismatch, and sources the version via env instead of inline command arguments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A version checked, a script made strict,
No more guesses, just digits picked.
Hop, hop, validate before the run,
Firefox metadata, safely done! 🐇🦊

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: hardening the Firefox GitHub Actions workflow against command injection.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-command-injection-vulnerability-in-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Summary by Qodo

Harden Firefox metadata GitHub Action against command injection

🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 10 minutes

Grey Divider

AI Description

• Pass workflow input via env var and quote it in bash to prevent shell injection.
• Add strict x.y.z semver validation and fail fast on invalid versions.
• Keep existing npm-based Firefox metadata update flow unchanged otherwise.
Diagram

graph TD
  A["workflow_dispatch input: version"] --> B["Env: FIREFOX_METADATA_VERSION"] --> C{"Semver x.y.z?"} -->|"yes"| D["Run npm update script"] --> E["Update Firefox metadata"]
  C -->|"no"| F["Exit 1 + error"]
  G[("FIREFOX_* secrets")] --> D

  subgraph Legend
    direction LR
    _in["Input"] ~~~ _dec{"Decision"} ~~~ _proc["Process"] ~~~ _sec[("Secrets")]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Validate with a semver tool (node/semver or npx semver)
  • ➕ More accurate semver handling (pre-releases/build metadata if desired)
  • ➕ Clearer error messages and maintainability vs bash regex
  • ➖ Adds dependency/tooling surface area to a workflow step
  • ➖ Slightly more moving parts for a minimal security fix
2. Use workflow_dispatch input constraints (choices) when feasible
  • ➕ Prevents invalid values before the runner starts
  • ➕ No shell parsing involved for validation
  • ➖ Not practical for arbitrary version values (needs enumerated list)
  • ➖ Still should quote/handle safely in the step
3. Add hardened shell defaults (set -euo pipefail) and explicit shell
  • ➕ Improves safety and debuggability across the step
  • ➕ Reduces risk from unset variables or silent failures
  • ➖ Can be a behavioral change if the script currently relies on unset vars
  • ➖ Still requires proper quoting/validation of inputs

Recommendation: The PR’s approach (env indirection + strict quoting + allowlist validation) is the best minimal-change mitigation for command injection in a workflow run step. Consider optionally adding set -euo pipefail for additional robustness, but the core security issue is already addressed effectively.

Files changed (1) +8 / -1

Bug fix (1) +8 / -1
firefox-metadata.ymlAvoid shell injection from dispatch input and validate version +8/-1

Avoid shell injection from dispatch input and validate version

• Replaces direct interpolation of 'inputs.version' in the 'run' command with an environment variable ('FIREFOX_METADATA_VERSION') used in a quoted context. Adds a strict x.y.z semver regex check to fail fast on invalid input before running the npm metadata update script.

.github/workflows/firefox-metadata.yml

@PeterDaveHello PeterDaveHello changed the title 修補 GitHub Actions:防止 Firefox metadata workflow 指令注入 Fix GitHub Actions: Prevent Command Injection in Firefox Workflow Jun 30, 2026
@PeterDaveHello PeterDaveHello requested a review from Copilot June 30, 2026 19:34
@qodo-code-review

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Informational

1. Implicit bash dependency 🐞 Bug ⚙ Maintainability
Description
此步驟新增了 bash 專用的 [[ ... =~ ... ]] 正則判斷,但 workflow/step 未明確指定 shell: bash,未來若 workflow 預設 shell
被調整(或重用到非 bash 環境)會導致語法錯誤而使更新步驟失敗。
Code

.github/workflows/firefox-metadata.yml[R30-34]

+        run: |
+          if [[ ! "$FIREFOX_METADATA_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Firefox version must use x.y.z semver format" >&2
+            exit 1
+          fi
Evidence
在本 PR 新增的 run 腳本中使用了 [[ ... =~ ... ]];同一個 workflow 檔案中並未看到 step-level shell:defaults.run.shell 設定,因此這段腳本對預設 shell 行為形成隱含依賴。

.github/workflows/firefox-metadata.yml[14-41]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow step relies on bash-specific syntax (`[[ ... =~ ... ]]`) but does not explicitly pin the shell. This creates a portability/maintenance hazard: if the workflow’s default shell changes or the job is later adapted to a different runner/shell, the step may fail with a syntax error.

### Issue Context
The current step uses `[[` and `=~` for regex validation. These are not POSIX `sh` features.

### Fix Focus Areas
- .github/workflows/firefox-metadata.yml[30-36]

### Suggested fix
Add `shell: bash` to the step (or define `defaults: run: shell: bash` for the job/workflow), **or** rewrite the validation in POSIX-compatible `sh` (e.g., using `case`/`grep -E`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +30 to +34
run: |
if [[ ! "$FIREFOX_METADATA_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Firefox version must use x.y.z semver format" >&2
exit 1
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Informational

1. Implicit bash dependency 🐞 Bug ⚙ Maintainability

此步驟新增了 bash 專用的 [[ ... =~ ... ]] 正則判斷,但 workflow/step 未明確指定 shell: bash,未來若 workflow 預設 shell
被調整(或重用到非 bash 環境)會導致語法錯誤而使更新步驟失敗。
Agent Prompt
### Issue description
The workflow step relies on bash-specific syntax (`[[ ... =~ ... ]]`) but does not explicitly pin the shell. This creates a portability/maintenance hazard: if the workflow’s default shell changes or the job is later adapted to a different runner/shell, the step may fail with a syntax error.

### Issue Context
The current step uses `[[` and `=~` for regex validation. These are not POSIX `sh` features.

### Fix Focus Areas
- .github/workflows/firefox-metadata.yml[30-36]

### Suggested fix
Add `shell: bash` to the step (or define `defaults: run: shell: bash` for the job/workflow), **or** rewrite the validation in POSIX-compatible `sh` (e.g., using `case`/`grep -E`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request hardens the Firefox metadata GitHub Actions workflow against command injection by ensuring the user-provided workflow_dispatch version input is treated as data (not shell code) and is validated before use.

Changes:

  • Routes the inputs.version value through an environment variable and references it as "$FIREFOX_METADATA_VERSION" in the shell step.
  • Adds strict x.y.z semantic version validation (^[0-9]+\.[0-9]+\.[0-9]+$) and fails fast on invalid input.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants