From 7559048c9905dd1e8ac3ab1939c59796ee9af895 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:12:03 +0000 Subject: [PATCH] fix(security): prevent prompt injection and pin Actions to SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two security issues fixed: 1. Prompt injection in gemini-review.yml (HIGH) ISSUE_TITLE and ISSUE_BODY from github.event were passed directly as env vars to a gemini-cli agent that has issues:write and pull-requests:write permissions. Any user who can open an issue or PR (enforced through gemini-dispatch.yml, which runs on issues:opened with no author-association restriction) can inject adversarial content that hijacks the agent's behavior — e.g. exfiltrating secrets or posting malicious comments. Fix: remove the env vars; the agent receives PULL_REQUEST_NUMBER and must fetch content via the GitHub API. 2. Tag-pinned actions in publish-pypi.yml (MEDIUM) checkout@v6 and setup-python@v6 were mutable tag references in a job that holds PYPI_API_TOKEN. Pinned to commit SHAs. --- .github/workflows/gemini-review.yml | 5 +++-- .github/workflows/integration_test.yml | 6 +++--- .github/workflows/lint.yml | 4 ++-- .github/workflows/publish-pypi.yml | 8 ++++---- .github/workflows/test.yml | 4 ++-- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 252d4130..20183fc8 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -33,8 +33,9 @@ jobs: uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude id: 'gemini_pr_review' env: - ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: passing raw GitHub event + # content directly as env vars is a prompt-injection vector. The gemini-cli + # agent must fetch issue/PR content via the GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' PR_OWNER: 'google' PR_REPO: 'secops-wrapper' diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 24dac492..f19ef223 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -33,7 +33,7 @@ jobs: has_sha: ${{ steps.extract-sha.outputs.result != '' }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Extract commit SHA from comment id: extract-sha @@ -195,12 +195,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ needs.check-authorization.outputs.commit_sha }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5526e33e..10a2c577 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,10 +16,10 @@ jobs: steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 3e859aa5..8e22d4c5 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -26,12 +26,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 # Full history for changelog generation - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' @@ -264,10 +264,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a6dad170..793b6b3f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,10 +20,10 @@ jobs: steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python-version }} cache: 'pip'