Skip to content

Comments

Fix shell injection vulnerability in release workflow (ENG-6554)#229

Merged
cameroncooke merged 4 commits intomainfrom
fix/eng-6554-shell-injection-vulnerability
Feb 21, 2026
Merged

Fix shell injection vulnerability in release workflow (ENG-6554)#229
cameroncooke merged 4 commits intomainfrom
fix/eng-6554-shell-injection-vulnerability

Conversation

@fix-it-felix-sentry
Copy link
Contributor

@fix-it-felix-sentry fix-it-felix-sentry bot commented Feb 18, 2026

Summary

This PR fixes a high-severity shell injection vulnerability in the GitHub Actions release workflow.

Problem

The workflow was using direct interpolation of GitHub context data (${{ github.event_name }} and ${{ github.event.inputs.version }}) in shell scripts, which could allow an attacker to inject malicious code through user-controlled input.

Solution

  • Added an env: section to set environment variables GH_EVENT_NAME and GH_INPUT_VERSION
  • Updated the shell script to reference these environment variables with proper quoting
  • This prevents untrusted user data from being executed as code

Testing

The workflow file syntax is valid and follows GitHub Actions best practices for security hardening.

References

@fix-it-felix-sentry @claude
Fix shell injection vulnerability in release workflow
d067806 
Resolves command injection vulnerability by using environment variables
instead of direct GitHub context interpolation in shell scripts.

This prevents potential malicious code injection through user-controlled
input in github.event_name and github.event.inputs.version.

Changes:
- Added env section with GH_EVENT_NAME and GH_INPUT_VERSION
- Updated shell script to reference environment variables
- Added proper quoting around variables

Fixes: https://linear.app/getsentry/issue/ENG-6554
Parent: https://linear.app/getsentry/issue/VULN-1163

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@linear
Copy link

linear bot commented Feb 18, 2026

ENG-6554 Command Injection vulnerability in getsentry/XcodeBuildMCP .github/workflows/release.yml

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 18, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/getsentry/XcodeBuildMCP/xcodebuildmcp@229

commit: a4c6513

cursor[bot]
cursor bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

sentry[bot]
sentry bot reviewed Feb 21, 2026
View reviewed changes
@cameroncooke cameroncooke merged commit 67a7d80 into main Feb 21, 2026
10 checks passed
@cameroncooke cameroncooke deleted the fix/eng-6554-shell-injection-vulnerability branch February 21, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

claude-code-assisted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cameroncooke