From 52d7816e43992f5aadf7858257a5e9a0742e5e53 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:15:21 +0000 Subject: [PATCH 1/2] Initial plan From 272d769af185ca31e01e963029b2341232f77669 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:18:58 +0000 Subject: [PATCH 2/2] Fix command injection vulnerability in CI workflow by using environment variables Replace direct interpolation of ${{ matrix.app.name }} in shell commands with environment variables passed via the env: section. All paths are now quoted to prevent command injection from untrusted fork PRs. Affected jobs: - e2e-local-dev: Setup canary, Resolve symlinks, Run E2E Tests - e2e-local-prod: Setup canary, Run E2E Tests - e2e-local-postgres: Setup canary, Run E2E Tests Co-authored-by: pranaygp <1797812+pranaygp@users.noreply.github.com> --- .github/workflows/tests.yml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 7bd31d34f..18379da21 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -175,8 +175,10 @@ jobs: if: ${{ matrix.app.canary }} run: | cat packages/next/package.json | jq '.dependencies.next|="canary"' > packages/next/package.json.new && mv packages/next/package.json.new packages/next/package.json - cat workbench/${{ matrix.app.name }}/package.json | jq '.dependencies.next|="canary"' > workbench/${{ matrix.app.name }}/package.json.new && mv workbench/${{ matrix.app.name }}/package.json.new workbench/${{ matrix.app.name }}/package.json + cat "workbench/${APP_NAME}/package.json" | jq '.dependencies.next|="canary"' > "workbench/${APP_NAME}/package.json.new" && mv "workbench/${APP_NAME}/package.json.new" "workbench/${APP_NAME}/package.json" pnpm install --no-frozen-lockfile + env: + APP_NAME: ${{ matrix.app.name }} - name: Install Dependencies run: pnpm install --frozen-lockfile @@ -185,10 +187,12 @@ jobs: run: pnpm turbo run build --filter='!./workbench/*' - name: Resolve symlinks - run: ./scripts/resolve-symlinks.sh workbench/${{ matrix.app.name }} + run: ./scripts/resolve-symlinks.sh "workbench/${APP_NAME}" + env: + APP_NAME: ${{ matrix.app.name }} - name: Run E2E Tests - run: cd workbench/${{ matrix.app.name }} && pnpm dev & echo "starting tests in 10 seconds" && sleep 10 && pnpm vitest run packages/core/e2e/dev.test.ts && sleep 10 && pnpm run test:e2e + run: cd "workbench/${APP_NAME}" && pnpm dev & echo "starting tests in 10 seconds" && sleep 10 && pnpm vitest run packages/core/e2e/dev.test.ts && sleep 10 && pnpm run test:e2e env: APP_NAME: ${{ matrix.app.name }} DEPLOYMENT_URL: "http://localhost:${{ matrix.app.name == 'sveltekit' && '5173' || '3000' }}" @@ -225,8 +229,10 @@ jobs: if: ${{ matrix.app.canary }} run: | cat packages/next/package.json | jq '.dependencies.next|="canary"' > packages/next/package.json.new && mv packages/next/package.json.new packages/next/package.json - cat workbench/${{ matrix.app.name }}/package.json | jq '.dependencies.next|="canary"' > workbench/${{ matrix.app.name }}/package.json.new && mv workbench/${{ matrix.app.name }}/package.json.new workbench/${{ matrix.app.name }}/package.json + cat "workbench/${APP_NAME}/package.json" | jq '.dependencies.next|="canary"' > "workbench/${APP_NAME}/package.json.new" && mv "workbench/${APP_NAME}/package.json.new" "workbench/${APP_NAME}/package.json" pnpm install --no-frozen-lockfile + env: + APP_NAME: ${{ matrix.app.name }} - name: Install Dependencies run: pnpm install --frozen-lockfile @@ -240,7 +246,7 @@ jobs: APP_NAME: ${{ matrix.app.name }} - name: Run E2E Tests - run: cd workbench/${{ matrix.app.name }} && pnpm start & echo "starting tests in 10 seconds" && sleep 10 && pnpm run test:e2e + run: cd "workbench/${APP_NAME}" && pnpm start & echo "starting tests in 10 seconds" && sleep 10 && pnpm run test:e2e env: APP_NAME: ${{ matrix.app.name }} DEPLOYMENT_URL: "http://localhost:${{ matrix.app.name == 'sveltekit' && '4173' || '3000' }}" @@ -293,8 +299,10 @@ jobs: if: ${{ matrix.app.canary }} run: | cat packages/next/package.json | jq '.dependencies.next|="canary"' > packages/next/package.json.new && mv packages/next/package.json.new packages/next/package.json - cat workbench/${{ matrix.app.name }}/package.json | jq '.dependencies.next|="canary"' > workbench/${{ matrix.app.name }}/package.json.new && mv workbench/${{ matrix.app.name }}/package.json.new workbench/${{ matrix.app.name }}/package.json + cat "workbench/${APP_NAME}/package.json" | jq '.dependencies.next|="canary"' > "workbench/${APP_NAME}/package.json.new" && mv "workbench/${APP_NAME}/package.json.new" "workbench/${APP_NAME}/package.json" pnpm install --no-frozen-lockfile + env: + APP_NAME: ${{ matrix.app.name }} - name: Install Dependencies run: pnpm install --frozen-lockfile @@ -311,7 +319,7 @@ jobs: APP_NAME: ${{ matrix.app.name }} - name: Run E2E Tests - run: cd workbench/${{ matrix.app.name }} && pnpm start & echo "starting tests in 10 seconds" && sleep 10 && pnpm run test:e2e + run: cd "workbench/${APP_NAME}" && pnpm start & echo "starting tests in 10 seconds" && sleep 10 && pnpm run test:e2e env: APP_NAME: ${{ matrix.app.name }} DEPLOYMENT_URL: "http://localhost:${{ matrix.app.name == 'sveltekit' && '4173' || '3000' }}"