From 0468c1f30f796a66c4aec828b122c4023ce1e790 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 29 Apr 2026 13:38:23 +0000
Subject: [PATCH] fix: V-001 security vulnerability

Automated security fix generated by Orbis Security AI
---
 pkg/runner/action.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/runner/action.go b/pkg/runner/action.go
index b46a4d03a75..532400f7fc7 100644
--- a/pkg/runner/action.go
+++ b/pkg/runner/action.go
@@ -454,7 +454,9 @@ func populateEnvsFromInput(ctx context.Context, env *map[string]string, action *
 		envKey := regexp.MustCompile("[^A-Z0-9-]").ReplaceAllString(strings.ToUpper(inputID), "_")
 		envKey = fmt.Sprintf("INPUT_%s", envKey)
 		if _, ok := (*env)[envKey]; !ok {
-			(*env)[envKey] = eval.Interpolate(ctx, input.Default)
+			value := eval.Interpolate(ctx, input.Default)
+			value = strings.NewReplacer("\r", "", "\n", "", "\x00", "").Replace(value)
+			(*env)[envKey] = value
 		}
 	}
 }