From 858c4f6dc19abf69a14fadfef10547f62eb4c77c Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Sun, 22 Mar 2026 19:35:53 +0000
Subject: [PATCH] Fix command injection vulnerability in iOS workflow

Move ios-version input to environment variable to prevent potential
command injection attacks. Using GitHub context data directly in run
scripts can allow attackers to inject malicious code if they control
the input value.

Fixes: https://linear.app/getsentry/issue/VULN-1334
Fixes: https://linear.app/getsentry/issue/ENG-7130

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/test-run-ios.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-run-ios.yml b/.github/workflows/test-run-ios.yml
index 83d639d9d..e4851c455 100644
--- a/.github/workflows/test-run-ios.yml
+++ b/.github/workflows/test-run-ios.yml
@@ -63,10 +63,11 @@ jobs:
       - name: Run iOS Integration Tests
         id: integration-test
         timeout-minutes: 20
+        env:
+          SENTRY_IOS_VERSION: ${{ inputs.ios-version }}
         run: |
           $env:SENTRY_TEST_PLATFORM = "iOS"
           $env:SENTRY_TEST_APP = "samples/IntegrationTest/Build/IntegrationTest.app"
-          $env:SENTRY_IOS_VERSION = "${{ inputs.ios-version }}"
           Invoke-Pester -Path test/IntegrationTest/Integration.Tests.ps1 -CI
           echo "status=success" >> $env:GITHUB_OUTPUT