Potential fix for code scanning alert no. 19: Code injection#117
Potential fix for code scanning alert no. 19: Code injection#117
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to address GitHub code scanning alert #19 (code injection) by removing direct ${{ ... }} GitHub expression interpolation from within a run: shell script in the release workflow.
Changes:
- Adds a step-level
env:mapping for the release version in the “Release complete” step. - Updates the version
echostatement to use native shell variable expansion ($RELEASE_VERSION) instead of${{ ... }}.
| echo "✅ Release process complete" | ||
| echo "Version: v${{ steps.version.outputs.version }}" | ||
| echo "Version: v$RELEASE_VERSION" | ||
| echo "Release URL: ${{ steps.create_release.outputs.url }}" |
There was a problem hiding this comment.
The run: script still embeds a GitHub expression in echo "Release URL: ${{ steps.create_release.outputs.url }}". If this change is intended to address the CodeQL code-injection alert by eliminating ${{ ... }} inside shell scripts, this line should follow the same pattern (map the expression to a step-level env: var and reference it via shell syntax) or the alert may persist.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Version bump type: patch PR: #117 Title: Potential fix for code scanning alert no. 19: Code injection
Potential fix for https://github.com/anoncam/dedpaste/security/code-scanning/19
General fix: avoid using
${{ ... }}expressions containing untrusted input directly insiderun:scripts. Instead, map the expression to an environment variable at the step level (env:), and then reference that variable using native shell syntax ($VAR) inside the script. This prevents GitHub expression syntax from appearing in the script content itself, which is what CodeQL flags.Concrete fix here:
${{ steps.version.outputs.version }}inside the shell script.env:section to that step, defining something likeRELEASE_VERSION: ${{ steps.version.outputs.version }}.echoline to use$RELEASE_VERSIONinstead of${{ steps.version.outputs.version }}.Only
.github/workflows/release-with-sbom.ymlis affected, and no new imports or external tools are required.Suggested fixes powered by Copilot Autofix. Review carefully before merging.