Skip to content

fix(ci): prevent expression injection in PR title handling#55

Merged
rhuanbarreto merged 1 commit into
mainfrom
claude/modest-diffie
Mar 14, 2026
Merged

fix(ci): prevent expression injection in PR title handling#55
rhuanbarreto merged 1 commit into
mainfrom
claude/modest-diffie

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • Fixes Code scanning alert fix: improve packaging #4: Cache Poisoning via low-privileged code injection
  • Passes github.event.pull_request.title through an env: block instead of direct ${{ }} interpolation in a run: command, preventing shell command injection via crafted PR titles (CWE-094)

Test plan

  • Verify the Validate commit messages step still works correctly on this PR
  • Confirm code scanning alert fix: improve packaging #4 is resolved after merge

🤖 Generated with Claude Code

Pass PR title via env variable instead of direct interpolation to
prevent shell command injection via crafted PR titles (CWE-094).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rhuanbarreto rhuanbarreto force-pushed the claude/modest-diffie branch from ab97d9c to 1a0de5e Compare March 14, 2026 09:10
@rhuanbarreto rhuanbarreto merged commit 036615f into main Mar 14, 2026
6 checks passed
@rhuanbarreto rhuanbarreto deleted the claude/modest-diffie branch March 14, 2026 09:13
@github-actions github-actions Bot mentioned this pull request Mar 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant