From d8d8a07d77f9af8ce37edd85b18b8a52f2a30472 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:16:16 +0000 Subject: [PATCH] fix(security): prevent prompt injection and pin Actions to SHAs 1. Prompt injection in gemini-invoke.yml and gemini-review.yml (HIGH) TITLE/DESCRIPTION/ISSUE_TITLE/ISSUE_BODY from GitHub events passed directly as env vars to gemini-cli agent with issues:write and pull-requests:write permissions. Removed - agent must use ISSUE_NUMBER to fetch content via the GitHub API instead. 2. Tag-pinned actions across all workflows (MEDIUM) Pinned actions/checkout and actions/setup-python to commit SHAs. --- .github/workflows/gemini-invoke.yml | 5 +++-- .github/workflows/gemini-review.yml | 4 ++-- .github/workflows/release-cherry-pick.yml | 2 +- .github/workflows/release-cut.yml | 2 +- .github/workflows/release-finalize.yml | 2 +- .github/workflows/release-please.yml | 2 +- .github/workflows/release-publish.yml | 4 ++-- .github/workflows/unit-tests.yaml | 4 ++-- 8 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/gemini-invoke.yml b/.github/workflows/gemini-invoke.yml index 11bc2c61..27649bcc 100644 --- a/.github/workflows/gemini-invoke.yml +++ b/.github/workflows/gemini-invoke.yml @@ -44,8 +44,9 @@ jobs: id: 'run_gemini' uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude env: - TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - DESCRIPTION: '${{ github.event.pull_request.body || github.event.issue.body }}' + # TITLE and DESCRIPTION intentionally omitted: passing raw GitHub event + # content as env vars is a prompt-injection vector. The agent should + # fetch PR/issue content via the GitHub API using ISSUE_NUMBER. EVENT_NAME: '${{ github.event_name }}' GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' IS_PULL_REQUEST: '${{ !!github.event.pull_request }}' diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 4bd4470f..a6ddbed2 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -46,8 +46,8 @@ jobs: id: 'gemini_pr_review' env: GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' - ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: prompt-injection vector. + # Agent must fetch content via GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' REPOSITORY: '${{ github.repository }}' ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' diff --git a/.github/workflows/release-cherry-pick.yml b/.github/workflows/release-cherry-pick.yml index ac5e5c08..3daab1d6 100644 --- a/.github/workflows/release-cherry-pick.yml +++ b/.github/workflows/release-cherry-pick.yml @@ -18,7 +18,7 @@ jobs: cherry-pick: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: release/candidate fetch-depth: 0 diff --git a/.github/workflows/release-cut.yml b/.github/workflows/release-cut.yml index 8dbed404..00d624c6 100644 --- a/.github/workflows/release-cut.yml +++ b/.github/workflows/release-cut.yml @@ -18,7 +18,7 @@ jobs: cut-release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.commit_sha || 'main' }} diff --git a/.github/workflows/release-finalize.yml b/.github/workflows/release-finalize.yml index b9d6203f..8214a02d 100644 --- a/.github/workflows/release-finalize.yml +++ b/.github/workflows/release-finalize.yml @@ -29,7 +29,7 @@ jobs: echo "is_release_pr=false" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: steps.check.outputs.is_release_pr == 'true' with: ref: release/candidate diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 791d84a5..19a7eb5d 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -30,7 +30,7 @@ jobs: echo "exists=false" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: steps.check.outputs.exists == 'true' with: ref: release/candidate diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 95ee326a..52939675 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -28,7 +28,7 @@ jobs: echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Publishing version: $VERSION" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv uses: astral-sh/setup-uv@v4 @@ -36,7 +36,7 @@ jobs: version: "latest" - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index e3769d50..0d2cbe7f 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -16,10 +16,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }}