Tom Hu 51e64229ac fix: prevent template injection in run: steps (VULN-1652) (#1947) ...

Replace direct ${{ inputs.skip_validation }}, ${{ inputs.use_oidc }},
${{ inputs.token }}, and ${{ env.CODECOV_TOKEN }} interpolation inside
run: shell scripts with env-var indirection. GitHub Actions resolves
template expressions before the shell sees the script, so any consumer
workflow that passes user-controlled data into these inputs could
achieve arbitrary command execution on the runner. Moving the values
into env: entries and referencing them as $INPUT_* shell variables
ensures the shell always treats them as data, not code.

2026-05-14 03:59:22 +09:00

14 KiB

Raw Permalink Blame History

View Raw