Skip to content

Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow to prevent newline injection #73

New issue
New issue
Open
#85
Open
Validate VERSION before writing to GITHUB_OUTPUT in monorepo-release workflow to prevent newline injection#73
#85
Assignees
pmalarmecopilot-swe-agent
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 19, 2026

Summary

The VERSION value extracted from pyproject.toml in .github/workflows/monorepo-release.yml is written directly to $GITHUB_OUTPUT without any format validation. A version string containing a newline character (e.g., version = "1.0.0\nGH_TOKEN=leaked") could inject arbitrary key-value pairs into GITHUB_OUTPUT, potentially poisoning subsequent workflow steps.

File & Location

  • File: .github/workflows/monorepo-release.yml
  • Line: 48

Original Review Comment

Category: CI/CD and GitHub Actions Security
Severity: Medium

The VERSION value extracted from pyproject.toml is written directly to $GITHUB_OUTPUT without any format validation. A version string that contains a newline character (e.g., version = "1.0.0\nGH_TOKEN=leaked") could inject arbitrary key-value pairs into GITHUB_OUTPUT, potentially poisoning subsequent steps.

By contrast, python-release.yml correctly validates wheel-derived values before using them:

if [[ ! "$NAME" =~ ^[a-zA-Z0-9_-]+$ ]] || [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected wheel name/version format …" >&2
  exit 1
fi

Recommendation: Add an equivalent validation step immediately after extracting VERSION:

VERSION=$(grep -m1 '^version' pyproject.toml \
  | sed 's/version *= *"\(.*\)"/\1/')

# Validate format before writing to GITHUB_OUTPUT
if [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

This also protects against an empty VERSION (if the grep/sed pattern fails to match), which would otherwise silently create a tag named v.

Proposed Fix

Add a format validation step immediately after extracting VERSION and before writing to GITHUB_OUTPUT, mirroring the pattern already used in python-release.yml:

if [[ ! "$VERSION" =~ ^[0-9a-zA-Z._-]+$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

Related PR: #51
Review comment: #51 (comment)

Generated by PR Review Comment — Create Issue for PR #51

Generated by PR Review Comment — Create Issue for issue #51

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions