Skip to content

fix: prevent shell injection from PR title with backticks#77

Merged
emmanuelm41 merged 1 commit intomainfrom
fix/pr-title-backtick-injection
Mar 2, 2026
Merged

fix: prevent shell injection from PR title with backticks#77
emmanuelm41 merged 1 commit intomainfrom
fix/pr-title-backtick-injection

Conversation

@emmanuelm41
Copy link
Copy Markdown
Member

@emmanuelm41 emmanuelm41 commented Mar 2, 2026

Summary

  • Move PR_TITLE from inline ${{ }} interpolation to env: block in all 4 check workflows
  • When PR titles contain backticks (e.g. feat: add foo command), the inline expansion causes bash to interpret them as command substitution, resulting in command not found CI failures
  • Using env: passes the value safely as an environment variable without shell interpretation

Affected workflows

  • _checks-ts.yaml
  • _checks-rs.yaml
  • _checks-expo.yaml
  • _checks-playwright.yaml

Test plan

  • Verify the CLI PR #565 (which has backticks in the original title) passes CI after this fix is deployed

@emmanuelm41
fix: prevent shell injection from PR title with backticks
382d8d1 
Move PR_TITLE from inline ${{ }} interpolation to env: block.
When PR titles contain backticks (e.g. feat: add `foo` command),
the inline expansion causes bash to interpret them as command
substitution, resulting in "command not found" CI failures.

Using env: passes the value safely without shell interpretation.
Fixes _checks-ts, _checks-rs, _checks-expo, _checks-playwright.
@emmanuelm41 emmanuelm41 merged commit 5de6f32 into main Mar 2, 2026
1 check passed
@emmanuelm41 emmanuelm41 deleted the fix/pr-title-backtick-injection branch March 2, 2026 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emmanuelm41