From fa99fca8a121a4e047ec7eb40f6109e7cd12ecfc Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Sun, 3 May 2026 21:29:52 +0000
Subject: [PATCH] fix: Prevent shell injection in GitHub Actions workflow

Fix shell injection vulnerability in e2e-v2.yml by using environment
variables instead of direct interpolation of github.ref context data.

The github.ref value is now passed through an intermediate environment
variable (REF) and accessed with double-quotes in the script to prevent
potential code injection attacks.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/e2e-v2.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/e2e-v2.yml b/.github/workflows/e2e-v2.yml
index f9bcae9b1f..280535d3cc 100644
--- a/.github/workflows/e2e-v2.yml
+++ b/.github/workflows/e2e-v2.yml
@@ -291,8 +291,10 @@ jobs:
 
       - name: Sentry Release
         if: ${{ steps.platform-check.outputs.skip != 'true' }}
+        env:
+          REF: ${{ github.ref }}
         run: |
-          SENTRY_RELEASE_CANDIDATE=$(echo 'e2e/${{ github.ref }}' | perl -pe 's/\//-/g')
+          SENTRY_RELEASE_CANDIDATE=$(echo "e2e/$REF" | perl -pe 's/\//-/g')
           echo "SENTRY_RELEASE=$SENTRY_RELEASE_CANDIDATE" >> $GITHUB_ENV
 
       - name: Sentry Dist