Sanitize branch names before checkout (#5970)

JamesBurnside · web-flow · commit 67289c60c728 · 2025-08-22T10:19:12.000-07:00
diff --git a/.github/workflows/update-chat-snapshots.yml b/.github/workflows/update-chat-snapshots.yml
@@ -17,6 +17,7 @@ jobs:
       pull-requests: write
     outputs:
       met: ${{ steps.label.outputs.found || steps.workflow_dispatch.outputs.found }}
+      active_branch_name_sanitized: ${{ steps.sanitize.outputs.branch }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -26,15 +27,40 @@ jobs:
           # This machine account is only for this PAT, pwd was created and thrown away
           # If an update is needed, create a new account, add access to the repo and generate a new PAT
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
+      # Sanitize branch name for any subsequent git checkout to prevent branch name exploits
+      - name: Sanitize branch name
+        id: sanitize
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          BRANCH_REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          # Sanitize branch name to prevent command injection
+          SAFE_BRANCH=$(echo "$BRANCH_REF" | sed 's/[^a-zA-Z0-9._\/-]//g')
+          echo "branch=$SAFE_BRANCH" >> $GITHUB_OUTPUT
+      # After sanitizing the branchname, confirm it exists (it won't if exploit code was stripped)
+      - name: Check sanitized branchname exists
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          SAFE_BRANCH: ${{ steps.sanitize.outputs.branch }}
+        run: |
+          if [ -z "$SAFE_BRANCH" ]; then
+            echo "No branch specified; skipping existence check"
+          elif git ls-remote --heads origin "$SAFE_BRANCH" | grep -q "$SAFE_BRANCH"; then
+            echo "Branch '$SAFE_BRANCH' found."
+          else
+            echo "Error: Branch '$SAFE_BRANCH' not found on origin" >&2
+            exit 1
+          fi
       - name: Found required label
         id: label
         if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'update_chat_snapshots') }}
         env:
           # Required for running `gh`.
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.number }}
         run: |
           echo "found=true" >> $GITHUB_OUTPUT
-          gh pr edit ${{ github.event.number }} --remove-label update_chat_snapshots
+          gh pr edit "$PR_NUMBER" --remove-label update_chat_snapshots
 
   get_matrix:
     name: Set CI flavors
@@ -74,9 +100,12 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        # Use sanitized branch name from precondition job
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -130,6 +159,8 @@ jobs:
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # Before pushing changes to origin, merge any intervening changes on the upstream branch.
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
@@ -143,7 +174,7 @@ jobs:
         run: |
           git add packages/react-composites/*.png
           git commit -m 'Update packages/react-composites ChatComposite browser test snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   push_updated_snapshots:
diff --git a/.github/workflows/update-snapshots.yml b/.github/workflows/update-snapshots.yml
@@ -18,6 +18,7 @@ jobs:
       pull-requests: write
     outputs:
       met: ${{ steps.label.outputs.found || steps.workflow_dispatch.outputs.found }}
+      active_branch_name_sanitized: ${{ steps.sanitize.outputs.branch }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -27,6 +28,29 @@ jobs:
           # This machine account is only for this PAT, pwd was created and thrown away
           # If an update is needed, create a new account, add access to the repo and generate a new PAT
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
+      # Sanitize branch name for any subsequent git checkout to prevent branch name exploits
+      - name: Sanitize branch name
+        id: sanitize
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          BRANCH_REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          # Sanitize branch name to prevent command injection
+          SAFE_BRANCH=$(echo "$BRANCH_REF" | sed 's/[^a-zA-Z0-9._\/-]//g')
+          echo "branch=$SAFE_BRANCH" >> $GITHUB_OUTPUT
+            # After sanitizing the branchname, confirm it exists (it won't if exploit code was stripped)
+      # After sanitizing the branchname, confirm it exists (it won't if exploit code was stripped)
+      - name: Check sanitized branchname exists
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          SAFE_BRANCH: ${{ steps.sanitize.outputs.branch }}
+        run: |
+          if git ls-remote --heads origin "$SAFE_BRANCH" | grep -q "$SAFE_BRANCH"; then
+            echo "Branch '$SAFE_BRANCH' found."
+          else
+            echo "Error: Branch '$SAFE_BRANCH' not found on origin" >&2
+            exit 1
+          fi
       - name: Found workflow disptach
         id: workflow_dispatch
         if: ${{ github.event_name == 'workflow_dispatch' }}
@@ -37,9 +61,10 @@ jobs:
         env:
           # Required for running `gh`.
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.number }}
         run: |
           echo "found=true" >> $GITHUB_OUTPUT
-          gh pr edit ${{ github.event.number }} --remove-label update_snapshots
+          gh pr edit "$PR_NUMBER" --remove-label update_snapshots
 
   get_matrix:
     name: Set CI flavors
@@ -79,9 +104,12 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        # Use sanitized branch name from precondition job
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -136,11 +164,12 @@ jobs:
             echo "hasChanged=false" >> $GITHUB_OUTPUT
           else
             echo "hasChanged=true" >> $GITHUB_OUTPUT
-            exit
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -153,7 +182,7 @@ jobs:
         run: |
           git add samples/tests/*.png
           git commit -m 'Update component examples snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   html_bundle:
@@ -175,9 +204,11 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -232,11 +263,12 @@ jobs:
             echo "hasChanged=false" >> $GITHUB_OUTPUT
           else
             echo "hasChanged=true" >> $GITHUB_OUTPUT
-            exit
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -249,7 +281,7 @@ jobs:
         run: |
           git add samples/tests/*.png
           git commit -m 'Update embed html bundle snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   call_composite:
@@ -271,9 +303,11 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -332,7 +366,9 @@ jobs:
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -345,7 +381,7 @@ jobs:
         run: |
           git add packages/react-composites/*.png
           git commit -m 'Update packages/react-composites CallComposite browser test snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   chat_composite:
@@ -367,9 +403,11 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -428,7 +466,9 @@ jobs:
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -441,7 +481,7 @@ jobs:
         run: |
           git add packages/react-composites/*.png
           git commit -m 'Update packages/react-composites ChatComposite browser test snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   callwithchat_composite:
@@ -463,9 +503,11 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -524,7 +566,9 @@ jobs:
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -537,7 +581,7 @@ jobs:
         run: |
           git add packages/react-composites/*.png
           git commit -m 'Update packages/react-composites CallWithChatComposite browser test snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   components:
@@ -559,9 +603,11 @@ jobs:
           token: ${{ secrets.MACHINE_ACCOUNT_PAT }}
       - name: Checkout branch if on a PR
         if: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
         # On the `pull_request` event, actions/checkout@v4 leaves the local checkout in a detached head state.
         # Explicitly checkout the target branch so we can push later.
-        run: git checkout ${{ github.event.pull_request.head.ref }}
+        run: git checkout "$SAFE_BRANCH"
       - name: Setup bot git information
         # User id of github actions bot. See https://api.github.com/users/better-informatics%5Bbot%5D
         run: |
@@ -617,7 +663,9 @@ jobs:
           fi
       - name: Push new snapshots, if any
         if: ${{ steps.changescheck.outputs.hasChanged == 'true' }}
-        # Before pushing changes to origin, merge any intervening changes on the upstream branch.
+        env:
+          SAFE_BRANCH: ${{ needs.precondition.outputs.active_branch_name_sanitized }}
+        # Before pushing changes to origin, merge any intervening changes on the upstream branch
         # This allows multiple snapshot update jobs in this action to run concurrently.
         # - The only files updated locally are UI snapshots
         # - Each job is responsible for a unique set of UI snapshots
@@ -630,7 +678,7 @@ jobs:
         run: |
           git add packages/react-components/*.png
           git commit -m 'Update packages/react-components browser test snapshots'
-          git pull origin ${{ needs.get_target_branch.outputs.target }} --no-rebase --no-edit
+          git pull origin "$SAFE_BRANCH" --no-rebase --no-edit
           git push
 
   push_updated_snapshots:
