Skip to content

fix: resolve GitHub Actions script injection vulnerabilities (S7630)#148

Merged
GitchalWoo merged 1 commit intomainfrom
fix/github-actions-script-injection
Feb 13, 2026
Merged

fix: resolve GitHub Actions script injection vulnerabilities (S7630)#148
GitchalWoo merged 1 commit intomainfrom
fix/github-actions-script-injection

Conversation

@bpolgar-swo
Copy link
Contributor

@bpolgar-swo bpolgar-swo commented Feb 12, 2026

  • Fix ios-install/action.yml: use env vars for download_url, device_name, ios_version
  • Fix android-install/action.yml: use env vars for download_url, api_level, device_profile, arch
  • Fix ios-test/action.yml: use shell vars instead of ${{ env.* }} in run blocks
  • Fix ios-expo-and-test.yml: use env vars for client_id, device_name, build_mode
  • Scope workflow permissions to job-level for least privilege in:
    • android-build-and-test.yml
    • ios-build-and-test.yml

This addresses SonarCloud blocker issues by preventing shell command injection through user-controlled inputs in GitHub Actions run blocks.

@bpolgar-swo
fix: resolve GitHub Actions script injection vulnerabilities (S7630)
c9e9261 
- Fix ios-install/action.yml: use env vars for download_url, device_name, ios_version
- Fix android-install/action.yml: use env vars for download_url, api_level, device_profile, arch
- Fix ios-test/action.yml: use shell vars instead of ${{ env.* }} in run blocks
- Fix ios-expo-and-test.yml: use env vars for client_id, device_name, build_mode
- Scope workflow permissions to job-level for least privilege in:
  - android-build-and-test.yml
  - ios-build-and-test.yml

This addresses SonarCloud blocker issues by preventing shell command injection
through user-controlled inputs in GitHub Actions run blocks.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@GitchalWoo GitchalWoo merged commit 597da8e into main Feb 13, 2026
8 checks passed
@GitchalWoo GitchalWoo deleted the fix/github-actions-script-injection branch February 13, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GitchalWoo GitchalWoo GitchalWoo approved these changes

@HalilSWO HalilSWO Awaiting requested review from HalilSWO HalilSWO is a code owner

@dk1990 dk1990 Awaiting requested review from dk1990 dk1990 is a code owner

@jml-pl jml-pl Awaiting requested review from jml-pl jml-pl is a code owner

@DrJakiellSWO DrJakiellSWO Awaiting requested review from DrJakiellSWO DrJakiellSWO is a code owner

@mbeernut mbeernut Awaiting requested review from mbeernut mbeernut is a code owner

@magicswo magicswo Awaiting requested review from magicswo magicswo is a code owner

@MagdalenaKomudaSWO MagdalenaKomudaSWO Awaiting requested review from MagdalenaKomudaSWO MagdalenaKomudaSWO is a code owner

@Tania-Roche-SWO Tania-Roche-SWO Awaiting requested review from Tania-Roche-SWO Tania-Roche-SWO is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bpolgar-swo @GitchalWoo