[llvm] [Github] Fix security issues in libcxx-run-benchmarks.yml workflow (PR #158467)
via llvm-commits
llvm-commits at lists.llvm.org
Sun Sep 14 01:11:33 PDT 2025
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-github-workflow
@llvm/pr-subscribers-libcxx
Author: Aiden Grossman (boomanaiden154)
<details>
<summary>Changes</summary>
There was one action dependency that was not hash pinned and this workflow also allowed code injection as the input might not be properly escaped when dumped into the run script.
---
Full diff: https://github.com/llvm/llvm-project/pull/158467.diff
1 Files Affected:
- (modified) .github/workflows/libcxx-run-benchmarks.yml (+4-2)
``````````diff
diff --git a/.github/workflows/libcxx-run-benchmarks.yml b/.github/workflows/libcxx-run-benchmarks.yml
index 5714600b63a5e..17a97df029ba5 100644
--- a/.github/workflows/libcxx-run-benchmarks.yml
+++ b/.github/workflows/libcxx-run-benchmarks.yml
@@ -33,12 +33,14 @@ jobs:
runs-on: llvm-premerge-libcxx-next-runners # TODO: This should run on a dedicated set of machines
steps:
- - uses: actions/setup-python at v6
+ - uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: '3.10'
- name: Extract information from the PR
id: vars
+ env:
+ COMMENT_BODY: ${{ github.event.comment.body }}
run: |
python3 -m venv .venv
source .venv/bin/activate
@@ -51,7 +53,7 @@ jobs:
print(f"pr_base={pr.base.sha}")
print(f"pr_head={pr.head.sha}")
EOF
- BENCHMARKS=$(echo "${{ github.event.comment.body }}" | sed -nE 's/\/libcxx-bot benchmark (.+)/\1/p')
+ BENCHMARKS=$(echo "$COMMENT_BODY" | sed -nE 's/\/libcxx-bot benchmark (.+)/\1/p')
echo "benchmarks=${BENCHMARKS}" >> ${GITHUB_OUTPUT}
- uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
``````````
</details>
https://github.com/llvm/llvm-project/pull/158467
More information about the llvm-commits
mailing list