Skip to content

Delete create-branch.yml workflow with code injection vulnerability#3065

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-code-injection-vulnerability
Nov 3, 2025
Merged

Delete create-branch.yml workflow with code injection vulnerability#3065
pelikhan merged 2 commits intomainfrom
copilot/fix-code-injection-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 3, 2025
edited
Loading

The create-branch.yml workflow had critical code injection vulnerabilities where unsanitized user input (github.event.inputs.name) was used directly in bash scripts.

Changes

  • Deleted .github/workflows/create-branch.yml entirely

Vulnerability Details

Two injection points existed:

# Line 31 - Create and push branch step
BRANCH_NAME="${{ github.event.inputs.name }}"
echo "Creating branch: $BRANCH_NAME"
git checkout -b "$BRANCH_NAME"

# Line 51 - Summary step
BRANCH_NAME="${{ github.event.inputs.name }}"
echo "- **Branch Name**: \`$BRANCH_NAME\`"

Malicious input like $(malicious command) or ; rm -rf / would execute in the workflow context with contents: write permissions.

Per maintainer request, deletion is preferred over sanitization.

Fixes #3058

Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Fix critical code injection vulnerability in create-branch.yml</issue_title>
<issue_description>## Objective
Fix the code injection vulnerability (CVE-severity) in .github/workflows/create-branch.yml where unsanitized user input is used in bash scripts.

Context

Poutine identified 2 critical injection points where github.event.inputs.name is used directly in bash scripts without proper sanitization. This is a critical security risk that could allow arbitrary code execution.

Related to discussion #3058

Approach

  1. Locate the injection points in .github/workflows/create-branch.yml
  2. Sanitize github.event.inputs.name before use in bash scripts
  3. Use proper quoting and input validation
  4. Consider using GitHub Actions expressions instead of bash variables where possible

Files to Modify

  • .github/workflows/create-branch.yml

Acceptance Criteria

  • User input from github.event.inputs.name is properly sanitized
  • All bash scripts using this input are secured against injection
  • Re-run poutine scan shows 0 injection warnings
  • Workflow functionality is preserved

Security Impact

HIGH: This is a critical security vulnerability that could allow malicious users to execute arbitrary code in workflow context.
Related to #3058

AI generated by Plan Command for discussion #3058</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan @copilot delete the create branch workflow.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
Delete vulnerable create-branch.yml workflow
159a831 
Removed .github/workflows/create-branch.yml to fix critical code injection vulnerability (CVE-severity). The workflow had two injection points where github.event.inputs.name was used directly in bash scripts without sanitization, allowing potential arbitrary code execution.

Per maintainer request, deleting the workflow is the most secure solution.

Fixes #3058

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix critical code injection vulnerability in create-branch.yml Delete create-branch.yml workflow with code injection vulnerability Nov 3, 2025
Copilot AI requested a review from pelikhan November 3, 2025 17:16
@pelikhan pelikhan marked this pull request as ready for review November 3, 2025 17:21
Copilot AI review requested due to automatic review settings November 3, 2025 17:21
@pelikhan pelikhan enabled auto-merge (squash) November 3, 2025 17:21
@pelikhan pelikhan merged commit e15ba2e into main Nov 3, 2025
6 checks passed
@pelikhan pelikhan deleted the copilot/fix-code-injection-vulnerability branch November 3, 2025 17:21
Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the create-branch.yml GitHub Actions workflow that was used for manually creating and pushing new branches via workflow dispatch.

  • Deletes the entire workflow file that allowed users to create branches through GitHub's UI
  • Removes functionality for automated branch creation with validation and summary reporting

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions Bot mentioned this pull request Nov 3, 2025
Merged
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Fix critical code injection vulnerability in create-branch.yml

3 participants

@pelikhan