Files
plane/.github/workflows
Manish Gupta 24fad369e9 [WEB-7945] fix(security): prevent shell injection in feature-deployment.yml (#9334)
* [WEB-7945] fix(security): prevent shell injection in feature-deployment.yml

Bind `github.event.inputs.base_tag_name` and `env.TARGET_BRANCH` to
step-level env vars (INPUT_BASE_TAG_NAME, GH_TARGET_BRANCH) and
reference them as shell variables in the run: script instead of
interpolating ${{ }} expressions inline.

GitHub Actions expands ${{ }} before the shell executes, so a crafted
base_tag_name value could inject arbitrary commands into the runner
context (GHSA-gfj7-g3wj-2p5f). Using env: breaks the injection path —
the value is set as a process environment variable, never as raw shell
text.

Co-authored-by: Plane AI <noreply@plane.so>

* [WEB-7945] fix: strip CR/LF from base_tag_name before writing to GITHUB_OUTPUT

A newline embedded in the value would let an attacker forge additional
output keys in the line-delimited $GITHUB_OUTPUT file (output injection).
Strip \r and \n via tr before writing AIO_BASE_TAG, addressing the
CodeRabbit finding on PR #9334.

Co-authored-by: Plane AI <noreply@plane.so>

---------

Co-authored-by: Plane AI <noreply@plane.so>
2026-07-01 13:38:36 +05:30
..