From 4d8da13da95e392b2fd7090fbf5353c28555df98 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 13 Dec 2025 20:47:34 +0000
Subject: [PATCH] Fix command injection vulnerability in
 test-failure-analysis.yml

Prevent command injection by passing untrusted GitHub context values
(workflow_run.name and workflow_run.head_branch) through environment
variables instead of direct shell interpolation.

The vulnerability allowed malicious branch names with shell metacharacters
like $() to execute arbitrary commands. Now these values are safely passed
as environment variables which prevents shell expansion.

Fixes: HIGH severity command injection vulnerability on lines 66-67, 92
---
 examples/test-failure-analysis.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/examples/test-failure-analysis.yml b/examples/test-failure-analysis.yml
index 85d63c6..1bd0729 100644
--- a/examples/test-failure-analysis.yml
+++ b/examples/test-failure-analysis.yml
@@ -53,6 +53,8 @@ jobs:
           fromJSON(steps.detect.outputs.structured_output).confidence >= 0.7
         env:
           GH_TOKEN: ${{ github.token }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           OUTPUT='${{ steps.detect.outputs.structured_output }}'
           CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
@@ -63,8 +65,7 @@ jobs:
           echo ""
           echo "Triggering automatic retry..."
 
-          gh workflow run "${{ github.event.workflow_run.name }}" \
-            --ref "${{ github.event.workflow_run.head_branch }}"
+          gh workflow run "$WORKFLOW_NAME" --ref "$HEAD_BRANCH"
 
       # Low confidence flaky detection - skip retry
       - name: Low confidence detection
@@ -83,13 +84,14 @@ jobs:
         if: github.event.workflow_run.event == 'pull_request'
         env:
           GH_TOKEN: ${{ github.token }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           OUTPUT='${{ steps.detect.outputs.structured_output }}'
           IS_FLAKY=$(echo "$OUTPUT" | jq -r '.is_flaky')
           CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
           SUMMARY=$(echo "$OUTPUT" | jq -r '.summary')
 
-          pr_number=$(gh pr list --head "${{ github.event.workflow_run.head_branch }}" --json number --jq '.[0].number')
+          pr_number=$(gh pr list --head "$HEAD_BRANCH" --json number --jq '.[0].number')
 
           if [ -n "$pr_number" ]; then
             if [ "$IS_FLAKY" = "true" ]; then