Update SECURITY.md with reporting instructions#12
Open
thomaslovaslokoy-ui wants to merge 3 commits intovercel:add-install-composite-actionfrom
Open
Update SECURITY.md with reporting instructions#12thomaslovaslokoy-ui wants to merge 3 commits intovercel:add-install-composite-actionfrom
thomaslovaslokoy-ui wants to merge 3 commits intovercel:add-install-composite-actionfrom
Conversation
…te action (#3) Three security vulnerabilities identified in audit and fixed: 1. Expression injection via inputs.filter (Finding 2) - inputs.filter was interpolated directly into the run: shell script, allowing arbitrary command injection if a caller passed a malicious value. - Fix: bind the value to an env var (FILTER) and pass it to jq via --arg, so jq treats it as data rather than part of its expression. 2. Private registry token exposed in shell command (Finding 3) - inputs.vercel-private-registry-token was interpolated directly into the pnpm config set command. This can surface the token value in runner debug logs, process listings, and crash artifacts. GitHub's secret masking does not cover composite-action inputs interpolated this way. - Fix: reference the already-present $VERCEL_PRIVATE_REGISTRY_TOKEN env var instead of the raw expression. 3. Step output injected into shell command (Finding 4) - steps.parse-filter.outputs.pnpm-filter-args was interpolated directly into the run: script, compounding Finding 2. - Fix: expose the output through a new PNPM_FILTER_ARGS env var and reference it in the shell body. The var is intentionally left unquoted so that multiple --filter flags word-split correctly. Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: thomaslovaslokoy-ui <thomaslovaslokoy-ui@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
,