Skip to content

fix(ci): read PR title from env in auto-version workflow to prevent injection#6074

Merged
KazariEX merged 1 commit into
vuejs:masterfrom
arpitjain099:chore/harden-autoversion-injection
May 29, 2026
Merged

fix(ci): read PR title from env in auto-version workflow to prevent injection#6074
KazariEX merged 1 commit into
vuejs:masterfrom
arpitjain099:chore/harden-autoversion-injection

Conversation

@arpitjain099

Copy link
Copy Markdown
Contributor

I do software supply chain security work and was looking through Actions workflows for spots where untrusted input lands in a shell. Small fix for auto-version.yml.

The "Bump version from PR title" step does VERSION="${{ github.event.pull_request.title }}". Since Actions expands ${{ }} into the script text before bash runs, a PR title such as v3.0.0"; id; " gets evaluated as a shell command. The startsWith(..., 'v3.') job condition and the ^v[0-9]+...$ check don't prevent it: the title prefix is attacker-chosen, and the regex runs only after the assignment has already been interpolated.

Trigger here is pull_request (not pull_request_target), so for fork PRs the token is read-only and there are no secrets, which keeps the impact to code execution on the ephemeral runner rather than secret theft. Still worth closing since it is an easy foothold and the job otherwise runs with contents: write / pull-requests: write for same-repo PRs.

Fix routes the title through a PR_TITLE env var and assigns VERSION="$PR_TITLE"; env values aren't re-parsed by the shell, and the version regex still gates what reaches lerna. No change for legitimate version titles.

The Auto Version Bump workflow runs on pull_request (opened) and builds
VERSION="${{ github.event.pull_request.title }}" inside a run block. Actions
expands ${{ ... }} into the script before bash executes, so a PR title like
v3.0.0"; <command>; " is evaluated by the shell. The job is gated on the title
starting with "v3." (which a PR author controls) and the ^v...$ regex check runs
only after the assignment, so it does not prevent the injection.

This passes the title via a PR_TITLE env var and assigns VERSION="$PR_TITLE";
environment values are not re-parsed by the shell. The version regex still
guards what gets passed to lerna. No behavior change for real version titles.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@KazariEX KazariEX changed the title Read PR title from env in auto-version workflow to prevent injection fix(ci): read PR title from env in auto-version workflow to prevent injection May 28, 2026
@KazariEX KazariEX merged commit b51c92d into vuejs:master May 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants