Skip to content

Update documentation example usage to avoid executing untrusted inputs#336

Merged
Codex- merged 1 commit intoCodex-:mainfrom
JackPGreen:untrusted-inputs
Mar 22, 2026
Merged

Update documentation example usage to avoid executing untrusted inputs#336
Codex- merged 1 commit intoCodex-:mainfrom
JackPGreen:untrusted-inputs

Conversation

@JackPGreen
Copy link
Copy Markdown
Contributor

@JackPGreen JackPGreen commented Mar 22, 2026
edited by coderabbitai Bot
Loading

The example shown in the documentation:

return-dispatch/README.md

Lines 67 to 68 in 16fa9d1

- name: echo distinct ID ${{ github.event.inputs.distinct_id }}
run: echo ${{ github.event.inputs.distinct_id }}

Is vulnerable to untrusted input execution (i.e. distinct_id could be a malicious command). See this document (specifically - Remediation) for more details.

Also, the command can be simplified as inputs.blah is equivalent to github.event.inputs.blah, but also handles workflow_call inputs.

Summary by CodeRabbit

  • Documentation
    • Updated workflow example in README to demonstrate improved handling of workflow inputs using environment variables instead of direct interpolation.

@JackPGreen
Update documentation example usage to avoid executing untrusted inputs
fbb366a 
The example shown in the documentation:
https://github.com/Codex-/return-dispatch/blob/16fa9d14771c4d56ae0196bbda1d3c17f7f3650f/README.md?plain=1#L67-L68

Is vulnerable to untrusted input execution (i.e. `distinct_id` _could_ be a malicious command). See [this document](https://securitylab.github.com/resources/github-actions-untrusted-input/) (specifically - `Remediation`) for more details.

Also, the command can be simplified [as `inputs.blah` is equivalent to `github.event.inputs.blah`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#providing-inputs), but [_also_ handles `workflow_call` `inputs`](https://github.blog/changelog/2022-06-09-github-actions-inputs-unified-across-manual-and-reusable-workflows/).
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 22, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4ab0325-0eda-4c72-986e-9e37255781cd

📥 Commits

Reviewing files that changed from the base of the PR and between 16fa9d1 and fbb366a.

📒 Files selected for processing (1)
  • README.md
📝 Walkthrough

Walkthrough

The README.md file updates a GitHub Actions workflow example showing how to receive repository inputs. The step that prints distinct_id changes from using github.event.inputs.distinct_id to inputs.distinct_id, and refactors to access the value via an environment variable instead of direct interpolation.

Changes

Cohort / File(s) Summary
Documentation
README.md		 Updated GitHub Actions workflow example to use inputs.distinct_id and pass the value through an environment variable (DISTINCT_ID) instead of direct command interpolation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow so fine, now cleaner and bright,
With inputs accessed in the proper light,
Through env variables we gently convey,
The distinct_id flows in the GitHub way! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the main change: updating documentation examples to prevent execution of untrusted inputs, which matches the core security improvement in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

Codex-
Codex- approved these changes Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@Codex- Codex- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Codex- Codex- merged commit 5732b69 into Codex-:main Mar 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Codex- Codex- Codex- approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JackPGreen @Codex-