Skip to content

fix: Prevent script injection vulnerability in get-compose-action#4179

Merged
aldy505 merged 1 commit intomasterfrom
fix/di-967-script-injection-vulnerability
Feb 19, 2026
Merged

fix: Prevent script injection vulnerability in get-compose-action#4179
aldy505 merged 1 commit intomasterfrom
fix/di-967-script-injection-vulnerability

Conversation

@fix-it-felix-sentry
Copy link
Contributor

@fix-it-felix-sentry fix-it-felix-sentry bot commented Feb 19, 2026

Summary

This PR fixes a script injection vulnerability in the get-compose-action by using an environment variable to pass inputs.version instead of direct interpolation in the run script.

Changes

  • Added env: block to store inputs.version in COMPOSE_VERSION environment variable
  • Updated the run script to use "$COMPOSE_VERSION" instead of ${{ inputs.version }}
  • This prevents potential script injection attacks by treating the input as data rather than code

Security Impact

The original code used direct variable interpolation which could potentially allow an attacker to inject malicious code. By using an intermediate environment variable with proper quoting, the value is treated as data and cannot be executed as code.

References

@fix-it-felix-sentry
fix: Prevent script injection in get-compose-action
d1be021 
Use environment variable to pass inputs.version instead of direct
interpolation in run script to prevent potential script injection.

Refs: DI-967, VULN-761
@linear
Copy link

linear bot commented Feb 19, 2026

DI-967 Command Injection vulnerability in getsentry/self-hosted get-compose-action/action.yaml

@github-actions
Copy link

github-actions bot commented Feb 19, 2026

Changelog Preview

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

Bug Fixes 🐛

  • Prevent script injection vulnerability in get-compose-action by fix-it-felix-sentry[bot] in #4179

🤖 This preview updates automatically when you update the PR.

aldy505
aldy505 approved these changes Feb 19, 2026
View reviewed changes
Copy link
Collaborator

@aldy505 aldy505 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, Felix!

@aldy505 aldy505 requested a review from aminvakil February 19, 2026 06:10
aminvakil
aminvakil approved these changes Feb 19, 2026
View reviewed changes
Copy link
Collaborator

@aminvakil aminvakil left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

I think the whole get compose step can be removed though, I'll check versions and come up with another PR.

I mean we can use latest docker-compose shipped by GHA runners.

@aminvakil aminvakil mentioned this pull request Feb 19, 2026
Merged
@aldy505
Copy link
Collaborator

aldy505 commented Feb 19, 2026

I think the whole get compose step can be removed though, I'll check versions and come up with another PR.

@aminvakil I wanna see what the bot is capable of. I just found out about it today.

@aldy505 aldy505 merged commit cbd79f0 into master Feb 19, 2026
16 checks passed
@aldy505 aldy505 deleted the fix/di-967-script-injection-vulnerability branch February 19, 2026 09:47
@aminvakil
Copy link
Collaborator

aminvakil commented Feb 19, 2026

Yes, this PR should've been merged anyway regardless of whether #4184 gets merged or not.

@sentry-release-bot sentry-release-bot bot mentioned this pull request Feb 21, 2026
Closed
1 task
@github-actions github-actions bot locked and limited conversation to collaborators Mar 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aldy505 aldy505 aldy505 approved these changes

+1 more reviewer

@aminvakil aminvakil aminvakil approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

Self-hosted Sentry
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aldy505 @aminvakil