Skip to content

Fix RCE vulnerability in JMH Benchmarks workflow#232

Open
vikrambohra wants to merge 1 commit intolinkedin:openhouse-1.2.0from
vikrambohra:vbohra/fix-rce-jmh-benchmarks-workflow
Open

Fix RCE vulnerability in JMH Benchmarks workflow#232
vikrambohra wants to merge 1 commit intolinkedin:openhouse-1.2.0from
vikrambohra:vbohra/fix-rce-jmh-benchmarks-workflow

Conversation

@vikrambohra
Copy link

@vikrambohra vikrambohra commented Mar 4, 2026

Summary

  • Fix Remote Code Execution (RCE) vulnerability in the JMH Benchmarks GitHub Actions workflow
  • Move all user-controlled workflow_dispatch inputs from direct ${{ }} shell interpolation to env: variables, which GitHub automatically sanitizes against command injection
  • Quote gradlew arguments to prevent word splitting

User-controlled inputs (spark_version, benchmarks, repo, ref) were directly interpolated into shell run commands, allowing arbitrary command injection (e.g., iceberg-spark-3.3| id; cat /etc/passwd;#).

Fixes: BDP-72545, PWN-46510

Testing Done

  • Verify workflow still triggers correctly via workflow_dispatch
  • Confirm env vars are properly passed to shell commands
  • Validate that malicious input in spark_version field no longer executes

@vikrambohra @claude
Fix RCE vulnerability in JMH Benchmarks workflow
216a468 
Move user-controlled workflow_dispatch inputs from direct shell interpolation
to environment variables to prevent command injection. GitHub Actions sanitizes
inputs when accessed through env vars, blocking shell metacharacter execution.

Fixes: BDP-72545, PWN-46510

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added the INFRA label Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

INFRA

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vikrambohra