Skip to content

Prevent shell injection#7310

Merged
youknowone merged 1 commit intoRustPython:mainfrom
moreal:prevent-shell-injection
Mar 2, 2026
Merged

Prevent shell injection#7310
youknowone merged 1 commit intoRustPython:mainfrom
moreal:prevent-shell-injection

Conversation

@moreal
Copy link
Contributor

@moreal moreal commented Mar 2, 2026
edited by coderabbitai bot
Loading

Since github.event.pull_request.head.ref can be defined by anyone, it can be used in shell injection.
This pull request ensures those values aren't executed as shell scripts by setting them as env variables and using parameter expansion syntax to retrieve them.

Related resources

Summary by CodeRabbit

  • Chores
    • Refactored GitHub Actions workflows to use environment variables for improved configuration management and reliability across release, documentation, and commit automation processes.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 2, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1cddc4 and de1ba40.

📒 Files selected for processing (3)
  • .github/workflows/pr-auto-commit.yaml
  • .github/workflows/release.yml
  • .github/workflows/update-doc-db.yml
📝 Walkthrough

Walkthrough

This PR refactors three GitHub Actions workflows to use intermediate environment variables instead of directly interpolating GitHub context expressions. Changes replace direct references to github.event and inputs with environment variables (HEAD_REF, PRE_RELEASE_INPUT, PYTHON_VERSION) across multiple steps.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Refactoring
.github/workflows/pr-auto-commit.yaml, .github/workflows/release.yml, .github/workflows/update-doc-db.yml		 Introduces intermediate environment variables to replace direct GitHub context interpolations. Adds HEAD_REF for git push references, PRE_RELEASE_INPUT for release type determination, and PYTHON_VERSION for version references in step logic and commit messages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop through the workflows, so neat and so grand,
Environment variables now take their stand,
No more direct refs, just clean-cut and clear,
The release will flow with a cheer and a jeer! 🎉

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Prevent shell injection' directly and clearly describes the main security objective of the changeset: addressing shell injection vulnerabilities in GitHub workflows by replacing direct command interpolation with environment variables.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@moreal moreal marked this pull request as ready for review March 2, 2026 07:13
@youknowone youknowone merged commit 0a6a6f8 into RustPython:main Mar 2, 2026
22 of 24 checks passed
@fanninpm
Copy link
Contributor

fanninpm commented Mar 2, 2026

@varunsh-coder does this actually fix your problem? If so, you can close #7311.

This was referenced Mar 3, 2026
Closed
Closed
@coderabbitai coderabbitai bot mentioned this pull request Mar 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@youknowone youknowone youknowone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@moreal @fanninpm @youknowone