You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
General Fix:
To safely use user-controlled input in GitHub Actions workflow scripts (especially with run in a shell context), the recommended practice is to place the user-controlled value into an environment variable via the env: block, and then access it within the shell natively (e.g., as $Env:BODY in PowerShell). This guarantees that the value is passed to the script by the operating system, not expanded inline as source code, and avoids code injection even if the input contains special characters.
Specific Fix:
In the step "Extract tip information from issue and create new tip file," move the assignment of ${{ github.event.issue.body }} from inline expansion within the script to the env: block as, for example, ISSUE_BODY: ${{ github.event.issue.body }}.
Update the script to assign $body from $Env:ISSUE_BODY (not by interpolating expansion inline), e.g., string $body = $Env:ISSUE_BODY.
This edit ensures the workflow safely handles the untrusted input, matching GitHub's security guidance for code-injection prevention.
All changes are within .github/workflows/process-new-powershell-tip-issue.yml, and no new package dependencies are required.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/deadlydog/PowerShell.tiPS/security/code-scanning/1
General Fix:
To safely use user-controlled input in GitHub Actions workflow scripts (especially with
runin a shell context), the recommended practice is to place the user-controlled value into an environment variable via theenv:block, and then access it within the shell natively (e.g., as$Env:BODYin PowerShell). This guarantees that the value is passed to the script by the operating system, not expanded inline as source code, and avoids code injection even if the input contains special characters.Specific Fix:
${{ github.event.issue.body }}from inline expansion within the script to theenv:block as, for example,ISSUE_BODY: ${{ github.event.issue.body }}.$bodyfrom$Env:ISSUE_BODY(not by interpolating expansion inline), e.g.,string $body = $Env:ISSUE_BODY.Suggested fixes powered by Copilot Autofix. Review carefully before merging.