From e96a55feab14b4d980da67ef92f46d9e1bd1e86e Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 27 May 2026 11:38:56 -0700 Subject: [PATCH] fix(security): command injection via unsanitized input in github The `run_cpp_linter.py` and `run_py_linter.py` scripts construct shell commands using unsanitized environment variables and file paths. While the direct command injection surface is limited, the scripts read from `/GITHUB_EVENT.json` and pass repository data into subprocess calls. More critically, both scripts use `subprocess.run` with shell=False which mitigates direct injection, but they construct format strings with external data for PR comments. The `run_cpp_linter.py` script formats linter output directly into a PR comment without sanitization, which could lead to injection of markdown or control characters. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- .github/scripts/run_cpp_linter.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/scripts/run_cpp_linter.py b/.github/scripts/run_cpp_linter.py index 44748c49f3..a109520756 100644 --- a/.github/scripts/run_cpp_linter.py +++ b/.github/scripts/run_cpp_linter.py @@ -1,5 +1,6 @@ import os import json +import re from github import Github import subprocess @@ -25,8 +26,10 @@ comment = """Code conforms to C++ style guidelines""" approval = "APPROVE" if output.returncode != 0: + lint_output = output.stdout.decode("utf-8") + lint_output = re.sub(r"[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]", "", lint_output) comment = """There are some changes that do not conform to C++ style guidelines:\n ```diff\n{}```""".format( - output.stdout.decode("utf-8") + lint_output ) approval = "REQUEST_CHANGES"