anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-22 14:24:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
claude/fix-command-injection-011p27fUErJNzJnC8F2NhDfU
claude-code-action/examples
History
Claude 4d8da13da9 Fix command injection vulnerability in test-failure-analysis.yml 
Prevent command injection by passing untrusted GitHub context values
(workflow_run.name and workflow_run.head_branch) through environment
variables instead of direct shell interpolation.

The vulnerability allowed malicious branch names with shell metacharacters
like $() to execute arbitrary commands. Now these values are safely passed
as environment variables which prevents shell expansion.

Fixes: HIGH severity command injection vulnerability on lines 66-67, 92
2025-12-13 20:47:34 +00:00
..
ci-failure-auto-fix.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
claude.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
issue-deduplication.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
issue-triage.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
manual-code-analysis.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
pr-review-comprehensive.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
pr-review-filtered-authors.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
pr-review-filtered-paths.yml
chore: upgrade actions/checkout from v4 to v5 (#632)
2025-10-20 09:11:13 -07:00
test-failure-analysis.yml
Fix command injection vulnerability in test-failure-analysis.yml
2025-12-13 20:47:34 +00:00