Skip to content

Maintenance: Fix parameter injection vulnerability in make-version workflow #4899

New issue
New issue
Closed
#4900
Closed
Maintenance: Fix parameter injection vulnerability in make-version workflow#4899
#4900
Assignees
dreamorosi
Labels
completedThis item is complete and has been merged/shippedinternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
@dreamorosi

Description

@dreamorosi
dreamorosi
opened on Dec 29, 2025

Summary

SonarCloud code scanning alert #234 has identified a potential parameter injection vulnerability in the make-version.yml GitHub Actions workflow. The workflow passes user-controlled input directly to an action parameter using GitHub's expression syntax (${{ github.event.inputs.release-type }}), which is flagged as a security anti-pattern (rule githubactions:S8263).

While the practical risk is mitigated by the fact that this workflow uses workflow_dispatch with a constrained choice input (only auto, major, minor, patch are allowed), and only users with write access can trigger it, the pattern itself violates security best practices and should be addressed to maintain a clean security posture.

Why is this needed?

  • Resolves open security alert build(deps-dev): bump ts-jest from 27.0.5 to 27.0.7 #234 flagged by SonarCloud with high severity
  • Aligns with OWASP Top 10 (A03:2021 - Injection) and CWE-78 best practices
  • Prevents potential command injection if the downstream action processes the input in shell commands
  • Maintains clean security scanning reports and demonstrates security-conscious CI/CD practices
  • Sets a good example for contributors and other projects using this codebase as reference

Which area does this relate to?

  • Automation

Solution

Pass the input via an environment variable instead of direct interpolation. Change .github/workflows/make-version.yml line 51 from:

- name: Version and changelog
  id: version-n-changelog
  uses: aws-powertools/actions/.github/actions/version-n-changelog@3b5b8e2e58b7af07994be982e83584a94e8c76c5
  with:
    release-type: ${{ github.event.inputs.release-type }}

To:

- name: Version and changelog
  id: version-n-changelog
  uses: aws-powertools/actions/.github/actions/version-n-changelog@3b5b8e2e58b7af07994be982e83584a94e8c76c5
  with:
    release-type: ${{ env.RELEASE_TYPE }}
  env:
    RELEASE_TYPE: ${{ github.event.inputs.release-type }}

Note: Line 54 also uses direct interpolation for steps.version-n-changelog.outputs.new-version in a shell command. While this is safer (comes from a trusted action output), it may warrant review for consistency.

Acknowledgment

Future readers: Please react with 👍 and your use case to help us understand customer demand.

Metadata

Metadata

Assignees

Labels

completedThis item is complete and has been merged/shippedinternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Type

No type

Projects

Powertools for AWS Lambda (TypeScript)

Status

Shipped

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions