From c5dd2b209c63ea55e504213ac8c38805085d8575 Mon Sep 17 00:00:00 2001 From: XananasX Date: Tue, 14 Apr 2026 04:50:08 +0100 Subject: [PATCH] security: fix expression injection in triage-issue.yml Move ${{ steps.run_script.outputs.labels }} from run: block to env: block to prevent GitHub Actions expression injection. Attacker-controlled issue body can prompt-inject Gemini API response, which flows unsanitized through ${{ }} into shell, enabling arbitrary command execution and secret exfiltration. --- .github/workflows/triage-issue.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/triage-issue.yml b/.github/workflows/triage-issue.yml index 6217d6467..6cf40a987 100644 --- a/.github/workflows/triage-issue.yml +++ b/.github/workflows/triage-issue.yml @@ -56,9 +56,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ISSUE_NUMBER: ${{ github.event.issue.number }} + LABELS: ${{ steps.run_script.outputs.labels }} run: | # Convert comma-separated labels to gh command arguments - IFS=',' read -ra ADDR <<< "${{ steps.run_script.outputs.labels }}" + IFS=',' read -ra ADDR <<< "$LABELS" priority_added=false for i in "${ADDR[@]}"; do # Trim whitespace @@ -70,4 +71,4 @@ jobs: fi done # Remove 'triage me' label - gh issue edit "$ISSUE_NUMBER" --remove-label "triage me" || true \ No newline at end of file + gh issue edit "$ISSUE_NUMBER" --remove-label "triage me" || true