From 7c74574d3cd7bd117daababb1c1af5af57e5cc59 Mon Sep 17 00:00:00 2001 From: Marijn Doeve Date: Fri, 3 Jul 2026 13:54:52 +0200 Subject: [PATCH] fix(ci): prevent script injection in Portainer deployment step (#170) Move IMAGE_TAG and SENTRY_RELEASE step outputs into env: vars so they are passed as environment variables rather than interpolated directly into the shell command string, eliminating a potential script-injection vector via a crafted tag or Sentry version value. --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb365c6..333d19c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -243,5 +243,7 @@ jobs: shell: bash env: PORTAINER_WEBHOOK: ${{secrets.PORTAINER_WEBHOOK}} + IMAGE_TAG: ${{steps.meta.outputs.tag}} + SENTRY_RELEASE: ${{steps.meta.outputs.sentry_version}} run: | - curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${{steps.meta.outputs.tag}}&SENTRY_RELEASE=${{steps.meta.outputs.sentry_version}}" --fail-with-body + curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${IMAGE_TAG}&SENTRY_RELEASE=${SENTRY_RELEASE}" --fail-with-body