Skip to content

Use env vars instead of direct interpolation in run commands #6388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 9, 2025
Merged

Use env vars instead of direct interpolation in run commands #6388

merged 2 commits into from
Oct 9, 2025

Conversation

@denrase
Copy link
Collaborator

@denrase denrase commented Oct 9, 2025
edited
Loading

#skip-changelog

📜 Description

This resolves potential command injection vulnerabilities that were reported to us.
While not all changes are prone to this issue, I have opted to move all interpolated vars in run commands to new vars to keep it consistent.
Also added ${VAR} curly braces just in places where we visually want to disambiguate, they are not strictly necessary.

💡 Motivation and Context

Relates to MOBILE-1036

💚 How did you test it?

CI should run successfully. Please review carefully, I did not verify if all affected LOC are run when opening a PR.

@linear
Copy link

linear bot commented Oct 9, 2025

MOBILE-1036 Command Injection vulnerabilities in getsentry/sentry-cocoa in 2 locations

@denrase denrase marked this pull request as ready for review October 9, 2025 08:59
@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2025

Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1219.45 ms 1258.59 ms 39.14 ms
Size 23.74 KiB 988.03 KiB 964.28 KiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
99104c9 1224.84 ms 1247.08 ms 22.24 ms
d83b35a 1212.48 ms 1237.02 ms 24.54 ms
f8029e2 1245.16 ms 1261.32 ms 16.16 ms
be8375a 1212.65 ms 1239.72 ms 27.08 ms
a3dfd57 1230.78 ms 1244.91 ms 14.14 ms
1a34ddc 1218.94 ms 1251.86 ms 32.92 ms
5840d2d 1225.40 ms 1241.47 ms 16.07 ms
324c109 1228.35 ms 1252.47 ms 24.12 ms
d1c4916 1236.25 ms 1266.76 ms 30.51 ms
664c060 1215.48 ms 1244.41 ms 28.93 ms

App size

Revision Plain With Sentry Diff
99104c9 23.75 KiB 894.83 KiB 871.09 KiB
d83b35a 23.75 KiB 913.17 KiB 889.42 KiB
f8029e2 23.75 KiB 893.72 KiB 869.97 KiB
be8375a 23.75 KiB 933.03 KiB 909.28 KiB
a3dfd57 23.75 KiB 913.63 KiB 889.87 KiB
1a34ddc 23.75 KiB 919.88 KiB 896.13 KiB
5840d2d 23.75 KiB 969.24 KiB 945.50 KiB
324c109 23.75 KiB 919.91 KiB 896.16 KiB
d1c4916 23.75 KiB 981.15 KiB 957.40 KiB
664c060 23.74 KiB 977.41 KiB 953.67 KiB

@philprime philprime enabled auto-merge (squash) October 9, 2025 11:10
philprime
philprime approved these changes Oct 9, 2025
View reviewed changes
Copy link
Member

@philprime philprime left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@philprime philprime merged commit 934eee4 into main Oct 9, 2025
141 of 146 checks passed
@philprime philprime deleted the chrore/use-intermediate-env-var-in-runners branch October 9, 2025 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philprime philprime philprime approved these changes

@philipphofmann philipphofmann Awaiting requested review from philipphofmann philipphofmann is a code owner

@noahsmartin noahsmartin Awaiting requested review from noahsmartin noahsmartin is a code owner

@itaybre itaybre Awaiting requested review from itaybre itaybre is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@denrase @philprime