MokoConsulting/MokoCLI
Public Access
1
0
Fork 0
Code Issues 3 Pull Requests Packages Releases 8 Wiki Activity

fix(security): prevent script injection in rc-revert workflow #324

Merged
jmiller merged 2 commits from feature/harden-rc-revert-injection into dev 2026-06-27 02:32:27 +00:00
Conversation 0 Commits 2 Files Changed 39
+57 -52

2 Commits

Author SHA1 Message Date
gitea-actions[bot] 3972b91169 chore(version): auto-bump patch 09.38.05-dev [skip ci]
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
2026-06-27 02:30:54 +00:00
jmiller 5885797728 fix(security): prevent shell/PHP script injection in rc-revert workflow
Universal: Auto Version Bump / Version Bump (push) Successful in 8s
Details 
The PR head branch ref is attacker-controlled and was substituted via
${{ }} directly into the shell run block (and interpolated into php -r),
allowing command injection with secrets.MOKOGITEA_TOKEN in scope.

- Pass untrusted values through env (BRANCH/REPO/GITEA_URL/TOKEN), not
  ${{ }} template substitution into shell source
- Strict allowlist ^rc/[A-Za-z0-9._/-]+$ before any use
- PHP reads BRANCH via getenv() instead of string interpolation
 2026-06-27 02:30:43 +00:00