From 5cd362398442c53db49f393120766b0f3807bbe7 Mon Sep 17 00:00:00 2001 From: vineethkuttan <66076509+vineethkuttan@users.noreply.github.com> Date: Fri, 22 May 2026 14:52:33 +0530 Subject: [PATCH] Harden perf-comment workflow inputs --- .github/workflows/perf-comment.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/perf-comment.yml b/.github/workflows/perf-comment.yml index adf318abc52..771720d7d49 100644 --- a/.github/workflows/perf-comment.yml +++ b/.github/workflows/perf-comment.yml @@ -39,6 +39,11 @@ jobs: exit 0 fi PR_NUMBER=$(cat "$PR_FILE" | tr -d '[:space:]') + # Validate: must be a positive integer to prevent injection via artifact poisoning + if ! echo "$PR_NUMBER" | grep -qE '^[1-9][0-9]*$'; then + echo "::error::Invalid PR number in artifact: not a positive integer" + exit 1 + fi echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT" echo "skip=false" >> "$GITHUB_OUTPUT" @@ -58,12 +63,20 @@ jobs: - name: Post or update PR comment if: steps.pr.outputs.skip != 'true' && steps.report.outputs.skip != 'true' uses: actions/github-script@v7 + env: + REPORT_PATH: ${{ steps.report.outputs.path }} + PR_NUMBER: ${{ steps.pr.outputs.number }} with: script: | const fs = require('fs'); const marker = ''; - const reportPath = '${{ steps.report.outputs.path }}'; - const prNumber = parseInt('${{ steps.pr.outputs.number }}', 10); + const reportPath = process.env.REPORT_PATH; + const prNumber = parseInt(process.env.PR_NUMBER, 10); + + if (!Number.isInteger(prNumber) || prNumber <= 0) { + core.setFailed('Invalid PR number from artifact — possible artifact poisoning.'); + return; + } const markdown = fs.readFileSync(reportPath, 'utf-8'); const body = `${marker}\n${markdown}`;