This is an automated email from the ASF dual-hosted git repository.
kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-rust.git
The following commit(s) were added to refs/heads/main by this push:
new 6a01be7d4 Potential fix for code scanning alert no. 1: Cache Poisoning
via low-privileged code injection (#2164)
6a01be7d4 is described below
commit 6a01be7d46334aedabb4e320893a62514ef31be3
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 20:52:37 2026 -0500
Potential fix for code scanning alert no. 1: Cache Poisoning via
low-privileged code injection (#2164)
Potential fix for
[https://github.com/apache/iceberg-rust/security/code-scanning/1](https://github.com/apache/iceberg-rust/security/code-scanning/1)
To fix the issue, pass `github.event.workflow_run.head_branch` into the
shell as an environment variable instead of interpolating it directly in
the script, and then reference only the environment variable inside the
`run` block. This follows the safer pattern from the “Secure Workflow”
example, where GitHub expressions are resolved into environment
variables and then treated as inert data.
Concretely, update the `Validate release tag format` step:
- Add an `env:` section with two variables:
- `DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}`
- `RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}`
- Replace the direct usages of `${{ github.event.inputs.release_tag }}`
and `${{ github.event.workflow_run.head_branch }}` in the shell script
with `$DISPATCH_RELEASE_TAG` and `$RUN_HEAD_BRANCH` respectively.
This change is all within `.github/workflows/release_python.yml`, in the
`validate-release-tag` job, `Validate release tag format` step. No new
methods, external definitions, or imports are required.
_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._
### Tested
On fork repo github action run:
https://github.com/kevinjqliu/iceberg-rust/actions/runs/22290533306
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: blackmwk <[email protected]>
---
.github/workflows/release_python.yml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/release_python.yml
b/.github/workflows/release_python.yml
index 2203271b3..f4cf4a761 100644
--- a/.github/workflows/release_python.yml
+++ b/.github/workflows/release_python.yml
@@ -55,11 +55,14 @@ jobs:
# Use input for workflow_dispatch, otherwise use
`workflow_run.head_branch`
# Note, `workflow_run.head_branch` does not contain `refs/tags/`
prefix, just the tag name, i.e. `v0.4.0` or `v0.4.0-rc.1`
# Valid formats: v<major>.<minor>.<patch> OR
v<major>.<minor>.<patch>-rc.<release_candidate>
+ env:
+ DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
+ RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
- RELEASE_TAG="${{ github.event.inputs.release_tag }}"
+ RELEASE_TAG="$DISPATCH_RELEASE_TAG"
else
- RELEASE_TAG="${{ github.event.workflow_run.head_branch }}"
+ RELEASE_TAG="$RUN_HEAD_BRANCH"
fi
echo "Validating release tag: $RELEASE_TAG"
if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$
]]; then
