fix(ci): prevent shell injection from PR body markdown

Pass PR title and body via env vars instead of direct interpolation.
Prevents backticks in markdown code blocks from being executed as shell commands.
This commit is contained in:
kaitranntt
2025-12-13 23:31:52 -05:00
parent e5cdf7c083
commit 5a8db2c1ee
+5 -2
View File
@@ -15,9 +15,12 @@ jobs:
- name: Label linked issues as pending-release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_TITLE: ${{ github.event.pull_request.title }}
PR_BODY: ${{ github.event.pull_request.body }}
run: |
# Extract issue numbers from PR title and body
PR_TEXT="${{ github.event.pull_request.title }} ${{ github.event.pull_request.body }}"
# Extract issue numbers from PR title and body (passed via env vars for safety)
# Using env vars prevents shell injection from backticks in markdown
PR_TEXT="$PR_TITLE $PR_BODY"
ISSUES=$(echo "$PR_TEXT" | grep -oE "(Fixes|Closes|Resolves|Refs?) #[0-9]+" | grep -oE "#[0-9]+" | sort -u || true)
if [[ -z "$ISSUES" ]]; then