fix(ci): Prevent command injection in ci-metadata workflow (#19899)

fix-it-felix-sentry[bot] · claude · Lms24 · web-flow · commit a3a662d63f81 · 2026-04-10T15:03:16.000Z
## Summary This PR fixes a high-severity security vulnerability where GitHub context data was being directly interpolated into a shell script, potentially allowing command injection attacks. ## Changes - Moved `github.event.pull_request.head.sha` and related GitHub context expressions into an environment variable `COMMIT_SHA_EXPR` - Updated the shell script to reference the environment variable with proper quoting (`"$COMMIT_SHA_EXPR"`) - This prevents untrusted input from being directly executed in the shell ## Security Impact Before this fix, an attacker could potentially inject malicious code through pull request metadata, which would be executed in the GitHub Actions runner with access to secrets and code. After this fix, the GitHub context data is safely passed through an environment variable, preventing command injection. ## References - Parent ticket: https://linear.app/getsentry/issue/VULN-1328 - Child ticket: https://linear.app/getsentry/issue/JS-1972 - [GitHub Actions Security Hardening](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) - [GitHub Security Lab: Untrusted Input](https://securitylab.github.com/research/github-actions-untrusted-input/) - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection) --------- Co-authored-by: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>
diff --git a/.github/workflows/ci-metadata.yml b/.github/workflows/ci-metadata.yml
@@ -51,8 +51,11 @@ jobs:
         id: get_metadata
         # We need to try a number of different options for finding the head commit, because each kind of trigger event
         # stores it in a different location
+        env:
+          COMMIT_SHA_EXPR:
+            ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }}
         run: |
-          COMMIT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }})
+          COMMIT_SHA=$(git rev-parse --short "$COMMIT_SHA_EXPR")
           echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV
           echo "COMMIT_MESSAGE=$(git log -n 1 --pretty=format:%s $COMMIT_SHA)" >> $GITHUB_ENV
 
