mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-22 22:44:13 +08:00
4d8da13da9
Prevent command injection by passing untrusted GitHub context values (workflow_run.name and workflow_run.head_branch) through environment variables instead of direct shell interpolation. The vulnerability allowed malicious branch names with shell metacharacters like $() to execute arbitrary commands. Now these values are safely passed as environment variables which prevents shell expansion. Fixes: HIGH severity command injection vulnerability on lines 66-67, 92
4.4 KiB
4.4 KiB