Fix potential remote code execution issues#19
Merged
llucax merged 3 commits intofrequenz-floss:v1.x.xfrom Mar 19, 2026
Merged
Conversation
This commit addresses potential vulnerabilities that could lead to
remote code execution via shell-injection when the action is used in
workflows triggered by `pull_request_target` where the repository code
is checked out.
Move the `${{ inputs.dependencies }}` interpolation from the bash
command line into an intermediate environment variable `$DEPENDENCIES`,
and use `xargs` to process `$DEPENDENCIES`.
This prevents potential shell injection and potential shell glob
expansion of the dependencies string if an attacker manages to control
the dependencies input.
Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
This commit addresses potential vulnerabilities that could lead to remote code execution via Python path hijacking when the action is used in workflows triggered by `pull_request_target` where the repository code is checked out. Change all `python -m pip` commands to use the isolated mode flag (`python -I -m pip`). This prevents malicious local files like `pip.py` from shadowing the legitimate pip module and being executed when the command runs. Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
simonvoelcker
approved these changes
Mar 19, 2026
Add `permissions: {}` as this workflow doesn't need any permissions.
Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses potential vulnerabilities that could lead to remote code execution when the action is used in workflows triggered by
pull_request_targetwhere the repository code is checked out.python -m pipcommands to use the isolated mode flag (python -I -m pip). This prevents malicious local files likepip.pyfrom shadowing the legitimate pip module and being executed when the command runs.${{ inputs.dependencies }}interpolation from the bash command line into an intermediate environment variable$DEPENDENCIES. This prevents potential shell injection if an attacker manages to control the dependencies input.