Skip to content

Security: Replace extra-args denylist with allowlist in setup-python-env composite action #67

New issue
New issue
Open
#91
Open
Security: Replace extra-args denylist with allowlist in setup-python-env composite action#67
#91
Assignees
pmalarmecopilot-swe-agent
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 19, 2026

The extra-args input in .github/actions/setup-python-env/action.yml (line 42) uses a denylist to block specific dangerous uv sync flags, but this approach is insufficient — many other flags that can alter dependency resolution semantics remain unblocked.

Unblocked flags that could be dangerous:

  • --python — could redirect to a different Python interpreter
  • --no-build-isolation — disables build isolation, allowing unbounded environment access
  • --constraint / --override-requires-python — alter dependency resolution
  • --no-sources — skips workspace packages

Recommendation: Replace the denylist with an allowlist of explicitly supported flags. For example:

allowed_args=(
  "--all-packages"
  "--prerelease=if-necessary-or-explicit"
  "-U"
  "--upgrade"
)
for arg in $EXTRA_ARGS; do
  allowed=false
  for a in "${allowed_args[@]}"; do [[ "$arg" == "$a" ]] && allowed=true && break; done
  if [[ "$allowed" != "true" ]]; then
    echo "::error::Unrecognized extra-args token: '$arg'." >&2; exit 1
  fi
done

Alternatively, remove extra-args entirely and expose structured boolean/enum inputs for each supported flag.

File: .github/actions/setup-python-env/action.yml, line 42
Severity: Medium
Categories: Input Validation and Sanitization (Category 1) + CI/CD Security (Category 14)

Original review finding:

Category: Input Validation and Sanitization (Category 1) + CI/CD Security (Category 14)
Severity: Medium

The extra-args guard uses a denylist to block specific dangerous flags (--index-url, --extra-index-url, --trusted-host, --find-links), but many other uv sync flags that can alter dependency resolution semantics are not blocked, for example:

  • --python — could redirect to a different Python interpreter
  • --no-build-isolation — disables build isolation, allowing unbounded environment access
  • --constraint / --override-requires-python — alter dependency resolution
  • --no-sources — skips workspace packages

If any caller ever forwards a dynamic/user-sourced string to extra-args (despite the README warning), the denylist provides insufficient protection.

Recommendation: Replace the denylist with an allowlist of explicitly supported flags.

Related PR: #51
Review comment: #51 (comment)

Generated by PR Review Comment — Create Issue for issue #51

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions