fix: prevent command injection in release workflow (#442)

lukeina2z · web-flow · commit 5d0a0d2f030d · 2025-11-10T15:17:54.000-08:00
* fix: prevent command injection in release workflow

Mitigate remote code execution in release-build.yml where unsanitized user input could execute arbitrary commands and expose secrets.

- Add input validation for semantic versioning format
- Use environment variables instead of direct interpolation

* address code review feedback.
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -26,14 +26,22 @@ jobs:
         with:
           path: ~/.gradle/wrapper
           key: gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
+      - name: Validate version input
+        run: |
+          if [[ ! "${{ github.event.inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$ ]]; then
+            echo "Invalid version format. Must follow Semantic Versioning (e.g., 1.2.3, 1.2.3-alpha.1, 1.2.3+build.1)"
+            exit 1
+          fi
       - name: Build and test
-        run: ./gradlew build -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+        run: ./gradlew build -Prelease.version="$RELEASE_VERSION" --stacktrace
         env:
           CI: true
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
       - name: Build and publish to sonatype
-        run: ./gradlew final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+        run: ./gradlew final closeAndReleaseSonatypeStagingRepository -Prelease.version="$RELEASE_VERSION" --stacktrace
         env:
           CI: true
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
