fix: prevent command injection in workflow example files

Fixes command injection vulnerabilities in example workflow files by using environment variables instead of direct template expansion in shell commands. This prevents malicious branch names containing command substitution syntax like $(cmd) from being executed by the shell. Files fixed: - examples/ci-failure-auto-fix.yml: github.event.workflow_run.head_branch - examples/test-failure-analysis.yml: github.event.workflow_run.name and head_branch
2026-01-22 14:24:13 +08:00 · 2025-12-16 01:37:30 +00:00
parent 9acae263e7
commit a86ef08036
2 changed files with 10 additions and 4 deletions
--- a/examples/ci-failure-auto-fix.yml
+++ b/examples/ci-failure-auto-fix.yml
@@ -35,8 +35,11 @@ jobs:

      - name: Create fix branch
        id: branch
+        env:
+          SOURCE_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          RUN_ID: ${{ github.run_id }}
        run: |
-          BRANCH_NAME="claude-auto-fix-ci-${{ github.event.workflow_run.head_branch }}-${{ github.run_id }}"
+          BRANCH_NAME="claude-auto-fix-ci-${SOURCE_BRANCH}-${RUN_ID}"
          git checkout -b "$BRANCH_NAME"
          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT

--- a/examples/test-failure-analysis.yml
+++ b/examples/test-failure-analysis.yml
@@ -53,6 +53,8 @@ jobs:
          fromJSON(steps.detect.outputs.structured_output).confidence >= 0.7
        env:
          GH_TOKEN: ${{ github.token }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
        run: |
          OUTPUT='${{ steps.detect.outputs.structured_output }}'
          CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
@@ -63,8 +65,8 @@ jobs:
          echo ""
          echo "Triggering automatic retry..."

-          gh workflow run "${{ github.event.workflow_run.name }}" \
-            --ref "${{ github.event.workflow_run.head_branch }}"
+          gh workflow run "$WORKFLOW_NAME" \
+            --ref "$HEAD_BRANCH"

      # Low confidence flaky detection - skip retry
      - name: Low confidence detection
@@ -83,13 +85,14 @@ jobs:
        if: github.event.workflow_run.event == 'pull_request'
        env:
          GH_TOKEN: ${{ github.token }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
        run: |
          OUTPUT='${{ steps.detect.outputs.structured_output }}'
          IS_FLAKY=$(echo "$OUTPUT" | jq -r '.is_flaky')
          CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
          SUMMARY=$(echo "$OUTPUT" | jq -r '.summary')

-          pr_number=$(gh pr list --head "${{ github.event.workflow_run.head_branch }}" --json number --jq '.[0].number')
+          pr_number=$(gh pr list --head "$HEAD_BRANCH" --json number --jq '.[0].number')

          if [ -n "$pr_number" ]; then
            if [ "$IS_FLAKY" = "true" ]; then