Commit 501daee
fix: harden cache-memory pipeline against exec-bit persistence and instruction injection (#1917)
* Initial plan
* fix: harden cache-memory against exec-bit and injection attacks
Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b0ee2cdb-eb78-4742-995b-6ccf4573fd7e
* fix: tighten injection scan, add quarantine and idempotent update
Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b0ee2cdb-eb78-4742-995b-6ccf4573fd7e
* fix: address review feedback on cache-memory hardening
- Guard find with directory existence check to avoid failures when
cache dir is missing (e.g., when prior setup step failed)
- Preserve directory structure in quarantine instead of flattening
paths, avoiding filename collisions and evidence loss
- Escape head output with sed to prevent GitHub Actions workflow
command injection from malicious file content
- Apply cache key and restore-keys TTL transformations independently
so partially updated workflows are correctly repaired
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>1 parent efe6bca commit 501daee
File tree
11 files changed
+837
-21
lines changed- .github/workflows
- scripts/ci
11 files changed
+837
-21
lines changedSome generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments