This is an automated email from the ASF dual-hosted git repository. hello-stephen pushed a commit to branch fix/github-actions-security-hardening in repository https://gitbox.apache.org/repos/asf/doris.git
commit 18c2375c4baaf9f797649ae60785fb39db461ab4 Author: lidongyang <[email protected]> AuthorDate: Thu May 21 18:01:20 2026 +0800 [fix](ci) harden GitHub Actions workflows against injection and module shadowing - comment-to-trigger-teamcity.yml: validate COMMENT_REPEAT_TIMES is numeric before writing to GITHUB_OUTPUT, preventing expression injection via crafted PR comments - license-eyes.yml: add persist-credentials: false on pull_request_target checkout; strip CWD from Python sys.path to prevent fork-supplied yaml.py from shadowing the stdlib module Co-Authored-By: Claude Sonnet 4.6 <[email protected]> --- .github/workflows/comment-to-trigger-teamcity.yml | 4 ++++ .github/workflows/license-eyes.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/comment-to-trigger-teamcity.yml b/.github/workflows/comment-to-trigger-teamcity.yml index 92336f430f5..d706e171a65 100644 --- a/.github/workflows/comment-to-trigger-teamcity.yml +++ b/.github/workflows/comment-to-trigger-teamcity.yml @@ -133,6 +133,10 @@ jobs: reg="run (buildall|compile|p0|p1|feut|beut|cloudut|external|clickbench|cloud_p0|cloud_p1|vault_p0|nonConcurrent|performance|check_coverage)( [1-9]*[0-9]+)*" COMMENT_TRIGGER_TYPE="$(echo -e "${COMMENT_BODY}" | xargs | grep -E "${reg}" | awk -F' ' '{print $2}' | sed -n 1p | sed 's/\r//g')" COMMENT_REPEAT_TIMES="$(echo -e "${COMMENT_BODY}" | xargs | grep -E "${reg}" | awk -F' ' '{print $3}' | sed -n 1p | sed 's/\r//g')" + if [[ -n "${COMMENT_REPEAT_TIMES}" && ! "${COMMENT_REPEAT_TIMES}" =~ ^[0-9]+$ ]]; then + echo "COMMENT_REPEAT_TIMES '${COMMENT_REPEAT_TIMES}' is not a valid number, ignoring." + COMMENT_REPEAT_TIMES="" + fi echo "COMMENT_TRIGGER_TYPE=${COMMENT_TRIGGER_TYPE}" | tee -a "$GITHUB_OUTPUT" echo "COMMENT_REPEAT_TIMES=${COMMENT_REPEAT_TIMES}" | tee -a "$GITHUB_OUTPUT" diff --git a/.github/workflows/license-eyes.yml b/.github/workflows/license-eyes.yml index 2fbccb9c0d3..c0705d67481 100644 --- a/.github/workflows/license-eyes.yml +++ b/.github/workflows/license-eyes.yml @@ -47,6 +47,7 @@ jobs: uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Get changed files if: github.event_name == 'pull_request_target' @@ -90,6 +91,9 @@ jobs: CHANGED_FILES: ${{ steps.changed-files.outputs.added_modified }} run: | python3 - <<'EOF' + import sys + # Prevent fork-supplied files from shadowing stdlib modules + sys.path = [p for p in sys.path if p not in ('', '.')] import yaml, os with open('.licenserc.yaml') as f: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
