mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-16 06:16:37 +00:00
fix(ci): prevent shell injection from PR body markdown
Pass PR title and body via env vars instead of direct interpolation. Prevents backticks in markdown code blocks from being executed as shell commands.
This commit is contained in:
@@ -15,9 +15,12 @@ jobs:
|
||||
- name: Label linked issues as pending-release
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
PR_TITLE: ${{ github.event.pull_request.title }}
|
||||
PR_BODY: ${{ github.event.pull_request.body }}
|
||||
run: |
|
||||
# Extract issue numbers from PR title and body
|
||||
PR_TEXT="${{ github.event.pull_request.title }} ${{ github.event.pull_request.body }}"
|
||||
# Extract issue numbers from PR title and body (passed via env vars for safety)
|
||||
# Using env vars prevents shell injection from backticks in markdown
|
||||
PR_TEXT="$PR_TITLE $PR_BODY"
|
||||
ISSUES=$(echo "$PR_TEXT" | grep -oE "(Fixes|Closes|Resolves|Refs?) #[0-9]+" | grep -oE "#[0-9]+" | sort -u || true)
|
||||
|
||||
if [[ -z "$ISSUES" ]]; then
|
||||
|
||||
Reference in New Issue
Block a user