From 68a0348c2068d85d2d735c8655f72bafe32d4c5d Mon Sep 17 00:00:00 2001 From: ant-soumitr Date: Mon, 8 Dec 2025 12:08:44 -0800 Subject: [PATCH] fix: Replace direct template expansion of inputs in shell scripts with environment variables (#729) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace direct template expansion of user inputs in shell scripts with environment variables to prevent potential command injection attacks. Changes: - sync-base-action.yml: Use $GITHUB_EVENT_NAME and $GITHUB_ACTOR instead of template expansion - action.yml: Pass path_to_bun_executable and path_to_claude_code_executable through env vars - base-action/action.yml: Same env var changes for path inputs 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude --- .github/workflows/sync-base-action.yml | 4 ++-- action.yml | 14 +++++++++----- base-action/action.yml | 14 +++++++++----- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sync-base-action.yml b/.github/workflows/sync-base-action.yml index 32ba9b4..72bf8c0 100644 --- a/.github/workflows/sync-base-action.yml +++ b/.github/workflows/sync-base-action.yml @@ -94,5 +94,5 @@ jobs: echo "✅ Successfully synced \`base-action\` directory to [anthropics/claude-code-base-action](https://github.com/anthropics/claude-code-base-action)" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Source commit**: [\`${GITHUB_SHA:0:7}\`](https://github.com/anthropics/claude-code-action/commit/${GITHUB_SHA})" >> $GITHUB_STEP_SUMMARY - echo "- **Triggered by**: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY - echo "- **Actor**: @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY + echo "- **Triggered by**: $GITHUB_EVENT_NAME" >> $GITHUB_STEP_SUMMARY + echo "- **Actor**: @$GITHUB_ACTOR" >> $GITHUB_STEP_SUMMARY diff --git a/action.yml b/action.yml index b957527..1175014 100644 --- a/action.yml +++ b/action.yml @@ -140,10 +140,12 @@ runs: - name: Setup Custom Bun Path if: inputs.path_to_bun_executable != '' shell: bash + env: + PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }} run: | - echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}" + echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE" # Add the directory containing the custom executable to PATH - BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}") + BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE") echo "$BUN_DIR" >> "$GITHUB_PATH" - name: Install Dependencies @@ -182,6 +184,8 @@ runs: - name: Install Base Action Dependencies if: steps.prepare.outputs.contains_trigger == 'true' shell: bash + env: + PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }} run: | echo "Installing base-action dependencies..." cd ${GITHUB_ACTION_PATH}/base-action @@ -190,7 +194,7 @@ runs: cd - # Install Claude Code if no custom executable is provided - if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then + if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then CLAUDE_CODE_VERSION="2.0.61" echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..." for attempt in 1 2 3; do @@ -210,9 +214,9 @@ runs: echo "Claude Code installed successfully" echo "$HOME/.local/bin" >> "$GITHUB_PATH" else - echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}" + echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE" # Add the directory containing the custom executable to PATH - CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}") + CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE") echo "$CLAUDE_DIR" >> "$GITHUB_PATH" fi diff --git a/base-action/action.yml b/base-action/action.yml index d6262d7..26c22b7 100644 --- a/base-action/action.yml +++ b/base-action/action.yml @@ -101,10 +101,12 @@ runs: - name: Setup Custom Bun Path if: inputs.path_to_bun_executable != '' shell: bash + env: + PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }} run: | - echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}" + echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE" # Add the directory containing the custom executable to PATH - BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}") + BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE") echo "$BUN_DIR" >> "$GITHUB_PATH" - name: Install Dependencies @@ -115,8 +117,10 @@ runs: - name: Install Claude Code shell: bash + env: + PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }} run: | - if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then + if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then CLAUDE_CODE_VERSION="2.0.61" echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..." for attempt in 1 2 3; do @@ -135,9 +139,9 @@ runs: done echo "Claude Code installed successfully" else - echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}" + echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE" # Add the directory containing the custom executable to PATH - CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}") + CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE") echo "$CLAUDE_DIR" >> "$GITHUB_PATH" fi