From 1804954da7b6dd410e3010d0914d6094ef839e52 Mon Sep 17 00:00:00 2001
From: lml2468 <lml2468@users.noreply.github.com>
Date: Mon, 1 Jun 2026 00:39:40 +0800
Subject: [PATCH] fix(ci): eliminate script injection in pr-labeler + add
 iOS/Android dep patterns (W-08)

Security:
- Replace direct ${{ inputs.* }} interpolation in JavaScript string
  literals with env: + process.env.* pattern, consistent with all other
  reusable workflows in this repo
- Eliminates latent script injection vector in pull_request_target context

Functionality:
- Add Podfile/Podfile.lock to LOCKFILES and DEP_FILES for iOS (octo-ios)
- Add build.gradle/settings.gradle (.kts variants) to DEP_FILES for
  Android (octo-android)
- Lockfile-excluded size calculation now also skips Podfile.lock

Both changes are backward-compatible; no caller modifications needed.
---
 .github/workflows/reusable-pr-labeler.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-pr-labeler.yml b/.github/workflows/reusable-pr-labeler.yml
index 0ab80b1..1fada04 100644
--- a/.github/workflows/reusable-pr-labeler.yml
+++ b/.github/workflows/reusable-pr-labeler.yml
@@ -29,17 +29,24 @@ jobs:
     steps:
       - name: Apply size label and detect dependency changes
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          PR_NUMBER: ${{ inputs.pr_number }}
+          REPO_OWNER: ${{ inputs.repo_owner }}
+          REPO_NAME: ${{ inputs.repo_name }}
         with:
           script: |
-            const owner = '${{ inputs.repo_owner }}';
-            const repo = '${{ inputs.repo_name }}';
-            const prNumber = Number('${{ inputs.pr_number }}');
+            const owner = process.env.REPO_OWNER;
+            const repo = process.env.REPO_NAME;
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
 
             const LOCKFILES = new Set([
               'go.sum', 'pnpm-lock.yaml', 'package-lock.json', 'yarn.lock',
+              'Podfile.lock',
             ]);
             const DEP_FILES = new Set([
               'go.mod', 'go.sum', 'package.json', 'pnpm-lock.yaml', 'yarn.lock',
+              'Podfile', 'Podfile.lock',
+              'build.gradle', 'build.gradle.kts', 'settings.gradle', 'settings.gradle.kts',
             ]);
 
             // Fetch all changed files in the PR