Skip to content

Harden generated workflow script against unsafe JSON quoting (CodeQL alert #600)#33550

Closed
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-scanning-alert-600
Closed

Harden generated workflow script against unsafe JSON quoting (CodeQL alert #600)#33550
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-scanning-alert-600

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 20, 2026
edited
Loading

This PR addresses the code scanning finding for unsafe quoting in generated script content. The fix replaces brittle string embedding with safe literal encoding while preserving behavior of network allowlist expansion.

  • What changed

    • Updated buildWorkflowCallNetworkAllowedUpdateScript in pkg/workflow/awf_helpers.go to embed JSON using Go-escaped string literals instead of raw triple-quoted interpolation in Python.

  • Why this resolves the alert

    • Eliminates quote-breakout risk in generated Python by avoiding manual/raw quoting of serialized JSON payloads.

  • Code-level delta

    // before
ecosystem_map = json.loads(r'''%s''')

// after
ecosystem_map = json.loads(%q)

Copilot AI and others added 2 commits May 20, 2026 13:44
@pelikhan
Plan alert 600 autofix
ecfd945 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix unsafe quoting in workflow network script
e6e4229 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning alert 600 Harden generated workflow script against unsafe JSON quoting (CodeQL alert #600) May 20, 2026
Copilot AI requested a review from pelikhan May 20, 2026 13:55
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented May 20, 2026

@copilot merge main and recompile

@pelikhan pelikhan closed this May 20, 2026
Copilot stopped work on behalf of pelikhan due to an error May 20, 2026 14:39
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan