[WIP] Fix template injection error in sync-actions.yml#9
Conversation
…sync-actions.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to mitigate a GitHub Actions template-injection risk in the sync-actions.yml reusable workflow by avoiding direct ${{ inputs.ref }} interpolation inside a shell run: script.
Changes:
- Pass
inputs.refvia an environment variable (INPUT_REF) in the “Resolve ref” step. - Replace
RAW_REF="${{ inputs.ref }}"withRAW_REF="${INPUT_REF}"to avoid direct expression interpolation in that step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| INPUT_REF: ${{ inputs.ref }} |
There was a problem hiding this comment.
This change prevents expression interpolation of inputs.ref in the "Resolve ref" step, but the workflow still directly expands ${{ inputs.ref }} inside a run: script in the earlier "Log workflow context" step (lines 44/46). That keeps the template-injection risk because a crafted ref value containing quotes/newlines could break the generated shell script before any permission checks run. Consider removing ${{ inputs.ref }} from all run: blocks (e.g., pass it via env at the job level and reference $INPUT_REF/use printf '%s\n' when logging).
.github/workflows/sync-actions.ymlinputs.refas an environment variable (INPUT_REF: ${{ inputs.ref }}) in the "Resolve ref" step'senv:sectionRAW_REF="${{ inputs.ref }}"toRAW_REF="${INPUT_REF}"to avoid direct shell expansion of user-controlled input🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.