mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-22 22:44:13 +08:00
ae2fd1754a
Fix command injection vulnerability where github.event.workflow_run.head_branch was directly interpolated into shell commands. Branch names containing shell metacharacters could execute arbitrary commands. Changes: - Pass head_branch through environment variables instead of direct interpolation - Affects gh pr list --head and gh workflow run --ref commands - Prevents execution of malicious code in branch names Severity: HIGH Category: command_injection
4.4 KiB
4.4 KiB