Avoid use of direct string injection in GitHub Workflow "run" steps.#185301
Conversation
This PR replaces the use of direct string injections from the GitHub environment
(i.e. `${{ env.VARIABLE}}`) and uses bash environment variables instead. This
mitigates the possibility of code injection attacks when running these workflows.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Why does using the env variable section for the script mitigate the injection issues? Does github do special parsing logic there? |
The problem with the |
agentfu
left a comment
There was a problem hiding this comment.
📋 Review Summary
The PR correctly identifies several places where direct string injection from the GitHub environment could lead to code injection attacks and replaces them with bash environment variables. However, the implementation is inconsistent across different workflow files, missing several steps that still use direct injections for gh commands, even when those same variables are moved to env in other steps of the same file.
🔍 General Feedback
- Excellent work on identifying and mitigating these security risks.
- Consistency across all workflows would make the codebase more robust and maintainable.
- Consider moving
github.repositoryandgithub.event.pull_request.numberto environment variables in all steps for a uniform approach, even if they are low-risk.
| id: revert-commit | ||
| working-directory: ./flutter | ||
| env: | ||
| PR_NUMBER: ${{ github.event.pull_request.number }} |
There was a problem hiding this comment.
[MEDIUM] The PR_NUMBER variable is moved to env in this step, but github.repository is still directly injected in the gh commands below. For consistency and to fully adhere to the PR's goal, consider moving github.repository to the env block as well (or use the default GITHUB_REPOSITORY environment variable).
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPOSITORY: ${{ github.repository }} | |
| run: | | |
| if git revert $MERGE_COMMIT --no-edit; then | |
| echo "success=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "success=false" >> $GITHUB_OUTPUT | |
| gh pr comment $PR_NUMBER -R $REPOSITORY -b "Failed to revert commit $MERGE_COMMIT cleanly. Please resolve conflicts manually." | |
| gh pr edit $PR_NUMBER -R $REPOSITORY --remove-label "revert_wf" | |
| exit 1 | |
| fi |
| git push origin ${{ env.BRANCH_NAME }} | ||
| git push origin $BRANCH_NAME | ||
|
|
||
| PR_LINK="https://github.com/flutter/flutter/pull/${{ github.event.pull_request.number }}" |
There was a problem hiding this comment.
[LOW] While github.event.pull_request.number is an integer and not a direct injection risk, it should be moved to the env block for consistency with the rest of the PR's changes.
| PR_LINK="https://github.com/flutter/flutter/pull/${{ github.event.pull_request.number }}" | |
| PR_LINK="https://github.com/flutter/flutter/pull/$PR_NUMBER" |
(Note: Ensure PR_NUMBER is added to the env block of this step as well).
There was a problem hiding this comment.
I am a human - I don't think this is needed?
| --head flutteractionsbot:${{ env.BRANCH_NAME }}) | ||
| --head flutteractionsbot:$BRANCH_NAME) | ||
|
|
||
| gh pr comment ${{ github.event.pull_request.number }} -R flutter/flutter -b "Successfully created revert PR: $NEW_PR_URL" |
There was a problem hiding this comment.
[LOW] Missed direct injection for PR_NUMBER and REPOSITORY.
| gh pr comment ${{ github.event.pull_request.number }} -R flutter/flutter -b "Successfully created revert PR: $NEW_PR_URL" | |
| gh pr comment $PR_NUMBER -R $REPOSITORY -b "Successfully created revert PR: $NEW_PR_URL" | |
| gh pr edit $PR_NUMBER -R $REPOSITORY --remove-label "revert_wf" |
| run: | | ||
| if git ls-remote --exit-code --heads origin ${{ env.BRANCH_NAME }}; then | ||
| echo "Error: Branch ${{ env.BRANCH_NAME }} already exists on remote." | ||
| if git ls-remote --exit-code --heads origin $BRANCH_NAME; then |
There was a problem hiding this comment.
I'm guessing "BRANCH_NAME" is a unique github variable that doesn't need "env:" given the previous usage was "env.BRANCH_NAME"
There was a problem hiding this comment.
I found out that things that are in env are automatically added to the bash environment, so this just works as long as it was added to the environment in a previous step. For other things like ${{ github.event.XYZ }} and stuff like that, you have to specify them in the env section in order to actually put them in bash environment variables.
| git push origin ${{ env.BRANCH_NAME }} | ||
| git push origin $BRANCH_NAME | ||
|
|
||
| PR_LINK="https://github.com/flutter/flutter/pull/${{ github.event.pull_request.number }}" |
There was a problem hiding this comment.
I am a human - I don't think this is needed?
|
Too bad the bot wouldn't create this review locally so I could not have it post lower quality comments.. |
They actually aren't low quality, IMO, but they are nits and probably not worth going back to do a whole new PR over. Maybe I'll try to clean these up later the next time I touch these files. |
flutter/flutter@2844af6...3d0e822 2026-04-21 goderbauer@google.com Reland "Unpin google_mobile_ads" (flutter/flutter#180838) 2026-04-21 ishaquehassan@gmail.com fix: correct LicenseRegistry docs to reference NOTICES instead of LICENSE (flutter/flutter#184572) 2026-04-21 engine-flutter-autoroll@skia.org Roll Skia from f8637ade3d92 to a234f0ed7245 (2 revisions) (flutter/flutter#185334) 2026-04-21 engine-flutter-autoroll@skia.org Roll Skia from 3b338913f623 to f8637ade3d92 (9 revisions) (flutter/flutter#185331) 2026-04-21 kevmoo@users.noreply.github.com Fix non-minimal relative imports in flutter_tools (flutter/flutter#183971) 2026-04-21 sigurdm@google.com Reapply "Unpin sdk package dependencies" (flutter/flutter#185268) 2026-04-21 robert.ancell@canonical.com Remove unused private header (flutter/flutter#185260) 2026-04-20 chris@bracken.jp [iOS] Improve LaunchEngine implementation/API/docs (flutter/flutter#185200) 2026-04-20 41930132+hellohuanlin@users.noreply.github.com [ios][pv] Reland platform view hitTest approach (again) (flutter/flutter#185126) 2026-04-20 engine-flutter-autoroll@skia.org Roll Skia from 75c2791c6274 to 3b338913f623 (3 revisions) (flutter/flutter#185304) 2026-04-20 srawlins@google.com ignore avoid_type_to_string lint rule (flutter/flutter#184765) 2026-04-20 jacksongardner@google.com Fix race condition in modifying release manifest. (flutter/flutter#185185) 2026-04-20 jason-simmons@users.noreply.github.com In the dev/bots/analyze.dart script, obtain the relevant set of paths from Git instead of crawling the filesystem (flutter/flutter#185058) 2026-04-20 jacksongardner@google.com [wimp] Implement images for wimp. (flutter/flutter#183913) 2026-04-20 47866232+chunhtai@users.noreply.github.com add the next batch for VPAT assessment (flutter/flutter#185053) 2026-04-20 engine-flutter-autoroll@skia.org Roll Packages from c2e3d1f to 01c505f (21 revisions) (flutter/flutter#185287) 2026-04-20 jacksongardner@google.com Avoid use of direct string injection in GitHub Workflow "run" steps. (flutter/flutter#185301) 2026-04-20 bkonyi@google.com Regenerate pubspec.lock (flutter/flutter#185290) 2026-04-20 jason-simmons@users.noreply.github.com Report an error if the git ls-tree command fails in the content_aware_hash script (flutter/flutter#185170) 2026-04-20 engine-flutter-autoroll@skia.org Roll Skia from d8415c5d7b91 to 75c2791c6274 (40 revisions) (flutter/flutter#185284) 2026-04-20 bkonyi@google.com Move widget_preview_scaffold into pub workspace (flutter/flutter#185176) 2026-04-20 dacoharkes@google.com [record_use] Run build hooks and link hooks in separate targets (flutter/flutter#184880) 2026-04-20 arpitgandhi9@users.noreply.github.com feat: add reloadIsRestart to handle hot reload as a restart for web #179448 (flutter/flutter#183233) 2026-04-20 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from aDbXQm6WA0wFCAUp-... to LPa7NLiXEZP2A7IwZ... (flutter/flutter#185269) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
…r#11548) flutter/flutter@2844af6...3d0e822 2026-04-21 goderbauer@google.com Reland "Unpin google_mobile_ads" (flutter/flutter#180838) 2026-04-21 ishaquehassan@gmail.com fix: correct LicenseRegistry docs to reference NOTICES instead of LICENSE (flutter/flutter#184572) 2026-04-21 engine-flutter-autoroll@skia.org Roll Skia from f8637ade3d92 to a234f0ed7245 (2 revisions) (flutter/flutter#185334) 2026-04-21 engine-flutter-autoroll@skia.org Roll Skia from 3b338913f623 to f8637ade3d92 (9 revisions) (flutter/flutter#185331) 2026-04-21 kevmoo@users.noreply.github.com Fix non-minimal relative imports in flutter_tools (flutter/flutter#183971) 2026-04-21 sigurdm@google.com Reapply "Unpin sdk package dependencies" (flutter/flutter#185268) 2026-04-21 robert.ancell@canonical.com Remove unused private header (flutter/flutter#185260) 2026-04-20 chris@bracken.jp [iOS] Improve LaunchEngine implementation/API/docs (flutter/flutter#185200) 2026-04-20 41930132+hellohuanlin@users.noreply.github.com [ios][pv] Reland platform view hitTest approach (again) (flutter/flutter#185126) 2026-04-20 engine-flutter-autoroll@skia.org Roll Skia from 75c2791c6274 to 3b338913f623 (3 revisions) (flutter/flutter#185304) 2026-04-20 srawlins@google.com ignore avoid_type_to_string lint rule (flutter/flutter#184765) 2026-04-20 jacksongardner@google.com Fix race condition in modifying release manifest. (flutter/flutter#185185) 2026-04-20 jason-simmons@users.noreply.github.com In the dev/bots/analyze.dart script, obtain the relevant set of paths from Git instead of crawling the filesystem (flutter/flutter#185058) 2026-04-20 jacksongardner@google.com [wimp] Implement images for wimp. (flutter/flutter#183913) 2026-04-20 47866232+chunhtai@users.noreply.github.com add the next batch for VPAT assessment (flutter/flutter#185053) 2026-04-20 engine-flutter-autoroll@skia.org Roll Packages from c2e3d1f to 01c505f (21 revisions) (flutter/flutter#185287) 2026-04-20 jacksongardner@google.com Avoid use of direct string injection in GitHub Workflow "run" steps. (flutter/flutter#185301) 2026-04-20 bkonyi@google.com Regenerate pubspec.lock (flutter/flutter#185290) 2026-04-20 jason-simmons@users.noreply.github.com Report an error if the git ls-tree command fails in the content_aware_hash script (flutter/flutter#185170) 2026-04-20 engine-flutter-autoroll@skia.org Roll Skia from d8415c5d7b91 to 75c2791c6274 (40 revisions) (flutter/flutter#185284) 2026-04-20 bkonyi@google.com Move widget_preview_scaffold into pub workspace (flutter/flutter#185176) 2026-04-20 dacoharkes@google.com [record_use] Run build hooks and link hooks in separate targets (flutter/flutter#184880) 2026-04-20 arpitgandhi9@users.noreply.github.com feat: add reloadIsRestart to handle hot reload as a restart for web #179448 (flutter/flutter#183233) 2026-04-20 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from aDbXQm6WA0wFCAUp-... to LPa7NLiXEZP2A7IwZ... (flutter/flutter#185269) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
This PR replaces the use of direct string injections from the GitHub environment (i.e.
${{ env.VARIABLE}}) and uses bash environment variables instead. This mitigates the possibility of code injection attacks when running these workflows.