[llvm] Potential fix for code scanning alert no. 1440: Code injection (PR #162764)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Thu Oct 9 19:51:34 PDT 2025
https://github.com/tstellar created https://github.com/llvm/llvm-project/pull/162764
Potential fix for [https://github.com/llvm/llvm-project/security/code-scanning/1440](https://github.com/llvm/llvm-project/security/code-scanning/1440)
To fix the issue, we must ensure that user-supplied, potentially unsafe data is never directly interpolated into shell scripts using workflow expression syntax (i.e., `...${{ ... }}...` inside `run:` blocks). The best practice is to set the untrusted value to an environment variable and then reference that variable in the script using native shell syntax (`$VAR`), ensuring it is properly quoted.
**Specifically:**
- We should set the value of `BENCHMARKS` as an environment variable on the relevant step(s) using the GitHub Actions `env` field, referencing only `${{ steps.vars.outputs.benchmarks }}` there.
- In the script, refer to the `$BENCHMARKS` variable (and double-quote it: `"$BENCHMARKS"`) instead of using `${{ ... }}` for interpolation.
- All shell invocations that use this tainted value (here: lines 71 and 77) must be updated to reference the quoted shell variable.
**Required changes:**
- On lines 67 and 75 (the two steps running shell commands with user input), add `env: BENCHMARKS: ${{ steps.vars.outputs.benchmarks }}` for both steps.
- On lines 71 and 77, replace `${{ steps.vars.outputs.benchmarks }}` in the command with `"$BENCHMARKS"`.
No new imports or methods are necessary; this is purely a YAML refactor to apply best practices.
---
_Suggested fixes powered by Copilot Autofix. Review carefully before merging._
>From dcf265968ad50ac624a4f55a7d67867d33b71cf3 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Thu, 9 Oct 2025 19:51:26 -0700
Subject: [PATCH] workflows/libcxx-run-benchmarks.yml: Fix code injection
vulnerability
https://github.com/llvm/llvm-project/security/code-scanning/1440
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
.github/workflows/libcxx-run-benchmarks.yml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/libcxx-run-benchmarks.yml b/.github/workflows/libcxx-run-benchmarks.yml
index 0379a0a1f857d..9e8f55859fc7a 100644
--- a/.github/workflows/libcxx-run-benchmarks.yml
+++ b/.github/workflows/libcxx-run-benchmarks.yml
@@ -64,17 +64,21 @@ jobs:
path: repo # Avoid nuking the workspace, where we have the Python virtualenv
- name: Run baseline
+ env:
+ BENCHMARKS: ${{ steps.vars.outputs.benchmarks }}
run: |
source .venv/bin/activate && cd repo
python -m pip install -r libcxx/utils/requirements.txt
baseline_commit=$(git merge-base ${{ steps.vars.outputs.pr_base }} ${{ steps.vars.outputs.pr_head }})
- ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }}
+ ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed "$BENCHMARKS"
./libcxx/utils/consolidate-benchmarks build/baseline | tee baseline.lnt
- name: Run candidate
+ env:
+ BENCHMARKS: ${{ steps.vars.outputs.benchmarks }}
run: |
source .venv/bin/activate && cd repo
- ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }}
+ ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed "$BENCHMARKS"
./libcxx/utils/consolidate-benchmarks build/candidate | tee candidate.lnt
- name: Compare baseline and candidate runs
More information about the llvm-commits
mailing list