Skip to content

security: replace vulnerable webhook steps with shared input sanitizer#168

Merged
Hannah-PortSwigger merged 1 commit intomainfrom
security/shared-input-sanitizer
Mar 12, 2026
Merged

security: replace vulnerable webhook steps with shared input sanitizer#168
Hannah-PortSwigger merged 1 commit intomainfrom
security/shared-input-sanitizer

Conversation

@djpaterson
Copy link
Copy Markdown
Contributor

@djpaterson djpaterson commented Mar 10, 2026

Summary

  • Add hardened runner (portswigger-tim/safer-runner-action) to both issue and PR webhook workflows
  • Replace direct shell execution of user-controlled inputs (echo/curl in run: steps) with shared sanitization action (PortSwigger/shared-workflows/sanitize-inputs) and fjogeleit/http-request-action
  • Allowlist integrations.zoom.us in the hardened runner for webhook delivery
  • Preserves existing fork guard and trigger types (opened, reopened)

This eliminates command injection risk from malicious issue titles, PR titles, and usernames.

Test plan

  • Merge and create a test issue to verify the webhook notification is received
  • Verify the hardened runner does not block the webhook POST to integrations.zoom.us
  • Verify the sanitized payload format matches what the webhook consumer expects

🤖 Generated with Claude Code

@djpaterson @claude
security: replace vulnerable webhook steps with shared input sanitizer
2819846 
Add hardened runner to both workflows with integrations.zoom.us allowlisted.
Replace direct shell execution of user-controlled inputs with shared
sanitization action and http-request-action, eliminating command injection risk.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PortSwiggerWiener
PortSwiggerWiener approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@PortSwiggerWiener PortSwiggerWiener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Hannah-PortSwigger Hannah-PortSwigger merged commit cb2e734 into main Mar 12, 2026
2 checks passed
@Hannah-PortSwigger Hannah-PortSwigger deleted the security/shared-input-sanitizer branch March 12, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hannah-PortSwigger Hannah-PortSwigger Hannah-PortSwigger approved these changes

@PortSwiggerWiener PortSwiggerWiener PortSwiggerWiener approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@djpaterson @Hannah-PortSwigger @PortSwiggerWiener