Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989
Fix GitHub Actions: Prevent Command Injection in Firefox Workflow#989PeterDaveHello wants to merge 1 commit into
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThe Firefox metadata workflow now documents three- or four-component version formats and validates ChangesWorkflow Version Validation
Estimated code review effort: 1 (Trivial) | ~3 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoHarden Firefox metadata GitHub Action against command injection
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
1.
|
There was a problem hiding this comment.
Pull request overview
This pull request hardens the Firefox metadata GitHub Actions workflow against command injection by ensuring the user-provided workflow_dispatch version input is treated as data (not shell code) and is validated before use.
Changes:
- Routes the
inputs.versionvalue through an environment variable and references it as"$FIREFOX_METADATA_VERSION"in the shell step. - Adds strict
x.y.zsemantic version validation (^[0-9]+\.[0-9]+\.[0-9]+$) and fails fast on invalid input.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (1 file)
Incremental review note: the prior inline concern about the implicit bash dependency (use of Previous Review Summaries (2 snapshots, latest commit 2f820a0)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit 2f820a0)Status: No Issues Found | Recommendation: Merge Files Reviewed (1 file)
Previous review (commit 79436f1)Status: No Issues Found | Recommendation: Merge Files Reviewed (1 file)
Reviewed by hy3:free · Input: 22.5K · Output: 1.9K · Cached: 136.2K |
79436f1 to
2f820a0
Compare
|
@josStorer would you like to take a look at this PR? |
Match Firefox numeric manifest versions, including historical four-segment versions, while rejecting leading-zero components.
2f820a0 to
dd8d650
Compare
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Code review by qodo was updated up to the latest commit dd8d650 |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/firefox-metadata.yml (1)
18-19: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueDisable credential persistence to improve security posture.
If
npm run release:update-firefox-metadatadoes not push commits back to the repository, you can safely disable credential persistence in the checkout action. This adheres to the principle of least privilege by preventing subsequent steps or dependencies from unnecessarily accessing the GitHub token in the runner environment.🛡️ Proposed fix to disable credential persistence
- name: Checkout uses: actions/checkout@v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/firefox-metadata.yml around lines 18 - 19, Update the Checkout step using actions/checkout@v7 to disable credential persistence by setting persist-credentials to false, preserving the existing checkout behavior.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/firefox-metadata.yml:
- Around line 18-19: Update the Checkout step using actions/checkout@v7 to
disable credential persistence by setting persist-credentials to false,
preserving the existing checkout behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7eb36851-454e-41d3-82f3-a745e6c0d4c0
📒 Files selected for processing (1)
.github/workflows/firefox-metadata.yml
Motivation
.github/workflows/firefox-metadata.ymldirectly expandsworkflow_dispatch.inputs.versioninto a shellrunstep, which can lead to command injection and potentially exposeFIREFOX_*secrets.Description
FIREFOX_METADATA_VERSIONenvironment variable and reference it in the shell as"$FIREFOX_METADATA_VERSION"to prevent GitHub Actions expressions from being expanded before shell parsing.x.y.zandx.y.z.w, allowing up to nine digits per component while rejecting leading zeros. The step aborts before runningnpm run release:update-firefox-metadataif the input does not match.[[ ... =~ ... ]]validation..github/workflows/firefox-metadata.yml.Testing
npm test; all automated unit tests passed with no failures.npm run lint; static analysis passed with no lint errors.npm run buildand verified that the expected artifacts exist inbuild/chromium/, and thatgit diff --checkreported no issues.Codex Task
Summary by CodeRabbit
Summary by CodeRabbit
x.y.zandx.y.z.w).