-
-
Notifications
You must be signed in to change notification settings - Fork 252
fix(security): validate remote URL and escape commit messages in generate-release.ps1 #673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -17,6 +17,13 @@ if ($repoUrl -match '^git@github\.com:(.+)') { | |||||||||
| $repoUrl = "https://github.com/$($matches[1])" | ||||||||||
| } | ||||||||||
|
|
||||||||||
| # Validate remote URL is a standard GitHub repo path (guard against tampered remotes) | ||||||||||
| if ($repoUrl -notmatch '^https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+$') { | ||||||||||
| Write-Error "Unexpected remote URL '$repoUrl' — aborting to prevent unintended GitHub API calls." | ||||||||||
| Pop-Location | ||||||||||
| exit 1 | ||||||||||
| } | ||||||||||
|
Comment on lines
+20
to
+25
|
||||||||||
|
|
||||||||||
| $filename = "release_${VersionFrom}_to_${VersionTo}.md" | ||||||||||
|
|
||||||||||
| # Clear existing release.md if it exists | ||||||||||
|
|
@@ -68,8 +75,11 @@ foreach ($sha in $commits) { | |||||||||
| $message = git log -1 --pretty=format:'%s' $sha | ||||||||||
| $shortSha = git log -1 --pretty=format:'%h' $sha | ForEach-Object { $_.Substring(0, 6) } | ||||||||||
|
|
||||||||||
| # Escape markdown special characters in commit message to prevent content injection | ||||||||||
| $safemessage = $message -replace '\[', '\[' -replace '\]', '\]' -replace '<', '<' -replace '>', '>' | ||||||||||
|
Comment on lines
+78
to
+79
|
||||||||||
| # Escape markdown special characters in commit message to prevent content injection | |
| $safemessage = $message -replace '\[', '\[' -replace '\]', '\]' -replace '<', '<' -replace '>', '>' | |
| # Escape HTML first, then escape markdown link delimiters in the commit message to prevent content injection | |
| $safemessage = [System.Net.WebUtility]::HtmlEncode($message) -replace '\[', '\[' -replace '\]', '\]' |
Copilot
AI
Apr 21, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Variable name $safemessage is inconsistent with the casing used elsewhere in this script (e.g., $repoUrl, $shortSha). Consider renaming to $safeMessage for readability and consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The remote URL validation only checks that the URL is on github.com and has an owner/repo shape, but it still allows
originto point to a different GitHub repository. That means a tampered remote can still causegh api repos/$repoPath/...to fetch and embed data from an attacker-controlled repo. Consider sourcing the repo identity from a trusted channel when available (e.g.,$env:GITHUB_REPOSITORYin CI) and/or adding an explicit-RepoPath/-RepoUrlparameter, and then validating that the remote-derived value matches it before continuing.