Skip to content

fix: Various fixes (v2 backport)#3309

Merged
szokeasaurusrex merged 7 commits into
v2from
szokeasaurusrex/security-fixes-v2
May 21, 2026
Merged

fix: Various fixes (v2 backport)#3309
szokeasaurusrex merged 7 commits into
v2from
szokeasaurusrex/security-fixes-v2

Conversation

@szokeasaurusrex
Copy link
Copy Markdown
Member

@szokeasaurusrex szokeasaurusrex commented May 21, 2026
edited
Loading

szokeasaurusrex and others added 7 commits May 21, 2026 14:25
@szokeasaurusrex
fix(bash-hook): Properly shell-escape bash-hook args
18484cf 
Fixes
[SDK-1193](https://linear.app/getsentry/issue/SDK-1193/sentry-cli-fix-bash-hook-shell-injection)

#skip-changelog
@szokeasaurusrex
fix(config): stricter verify_ssl check
578acff 
Only disable SSL verification when the relevant field is defined in the
config and case-insensitively equal to `"false"`. Previously, SSL
verification was disabled whenever the option was set, but not
case-sensitively equal to `"true"`, which could lead to the case where
users who set the option to `"True"` having SSL verification
unintentionally disabled.

#skip-changelog

Fixes
[SDK-1238](https://linear.app/getsentry/issue/SDK-1238/sentry-cli-strict-string-comparison-for-ssl-verify-setting-silently)
@szokeasaurusrex
feat(update): Check checksum when updating
55c52fb 
In hindsight, not sure this change is worth the added complexity. But I
suppose it is a bit safer if we check the checksums after download.

For this backport commit, we also need to add `sha2` to our dependencies; it does not exist in `v2` yet.

#skip-changelog

Fixes
[SDK-1235](https://linear.app/getsentry/issue/SDK-1235/sentry-cli-self-update-binary-downloaded-without-integrity)
@szokeasaurusrex
fix(bash-hook): Stop sending environment variables
4f410a6 
#skip-changelog

Fixes
[SDK-1240](https://linear.app/getsentry/issue/SDK-1240/sentry-cli-default-environment-variable-disclosure-in-bash-error)
@szokeasaurusrex
fix(config): Ensure correct permissions on updated config file
5878120 
Ensure config files have the correct permissions, even when overwriting
an existing file, by first creating them as a brand new temporary file,
then atomically renaming them over any exisiting file.

Fixes
[SDK-1234](https://linear.app/getsentry/issue/SDK-1234/sentry-cli-config-file-permissions-not-enforced-on-pre-existing-files)
@szokeasaurusrex
fix(xcode): Only preprocess Info.plist with opt-in
3e389f0 
#skip-changelog

Fixes
[SDK-1194](https://linear.app/getsentry/issue/SDK-1194/sentry-cli-compiler-argument-injection-via-malicious-xcode-project)
@szokeasaurusrex
meta(changelog): Update/add security fix changelog entries
244d5a0
@szokeasaurusrex szokeasaurusrex requested a review from a team as a code owner May 21, 2026 13:57
@szokeasaurusrex szokeasaurusrex merged commit 748be19 into v2 May 21, 2026
47 of 49 checks passed
@szokeasaurusrex szokeasaurusrex deleted the szokeasaurusrex/security-fixes-v2 branch May 21, 2026 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loewenheim loewenheim loewenheim approved these changes

@dingsdax dingsdax Awaiting requested review from dingsdax

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@szokeasaurusrex @loewenheim