Skip to content

fix: validate backport branch name#9548

Merged
knqyf263 merged 2 commits into
aquasecurity:mainfrom
knqyf263:chore/backport-branch-validation
Sep 30, 2025
Merged

fix: validate backport branch name#9548
knqyf263 merged 2 commits into
aquasecurity:mainfrom
knqyf263:chore/backport-branch-validation

Conversation

@knqyf263
Copy link
Copy Markdown
Collaborator

@knqyf263 knqyf263 commented Sep 30, 2025
edited
Loading

Description

  • validate the backport workflow’s extracted branch name before exporting to GITHUB_ENV
  • reject empty or unsafe names while allowing dotted release branches like release/v0.53.1
  • verified on knqyf263/trivy#69 that safe names proceed (workflow run 18117590123) and unsafe names abort immediately (run 18117630437 and 18121474365)

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Sep 30, 2025
@knqyf263 knqyf263 requested a review from Copilot September 30, 2025 03:24
Copilot AI reviewed Sep 30, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security by validating backport branch names in the GitHub workflow before setting them as environment variables. The validation prevents potential command injection by ensuring branch names contain only safe characters while still allowing dotted release branches like release/v0.53.1.

  • Added validation for extracted branch names using regex pattern matching
  • Added error handling to exit immediately when invalid or empty branch names are detected
  • Improved shell scripting practices with proper variable quoting

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .github/workflows/backport.yaml Outdated
BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
BRANCH_NAME=$(echo "$COMMENT_BODY" | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
if [[ -z "$BRANCH_NAME" || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._/-]+$ ]]; then
Copy link

Copilot AI Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern allows dots which could enable path traversal attacks with patterns like '../'. Consider restricting dots to only appear in specific contexts (e.g., version numbers) or use a more restrictive pattern like ^[A-Za-z0-9._-]+(/[A-Za-z0-9._-]+)*$ to prevent directory traversal.

Suggested change
if [[ -z "$BRANCH_NAME" || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._/-]+$ ]]; then
if [[ -z "$BRANCH_NAME" || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._-]+(/[A-Za-z0-9._-]+)*$ ]]; then

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Collaborator Author

@knqyf263 knqyf263 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improved in e0ff47b

@knqyf263 knqyf263 added the autoready Automatically mark PR as ready for review when all checks pass label Sep 30, 2025
@github-actions github-actions Bot marked this pull request as ready for review September 30, 2025 07:07
@github-actions github-actions Bot removed the autoready Automatically mark PR as ready for review when all checks pass label Sep 30, 2025
@knqyf263 knqyf263 added this pull request to the merge queue Sep 30, 2025
Merged via the queue into aquasecurity:main with commit f0fd432 Sep 30, 2025
14 checks passed
@knqyf263 knqyf263 deleted the chore/backport-branch-validation branch September 30, 2025 07:46
@aqua-bot aqua-bot mentioned this pull request Sep 30, 2025
Merged
@aqua-bot aqua-bot mentioned this pull request Dec 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@knqyf263 @DmitriyLewen