From 1a0de5e6f53f6deb8a53b4704fc9d5837f704b85 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Sat, 14 Mar 2026 10:09:28 +0100 Subject: [PATCH] fix(ci): prevent expression injection in PR title handling Pass PR title via env variable instead of direct interpolation to prevent shell command injection via crafted PR titles (CWE-094). Co-Authored-By: Claude Opus 4.6 --- .github/workflows/code-pull-request.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/code-pull-request.yml b/.github/workflows/code-pull-request.yml index 7a94ef2d..592b24be 100644 --- a/.github/workflows/code-pull-request.yml +++ b/.github/workflows/code-pull-request.yml @@ -41,7 +41,9 @@ jobs: run: bun install --frozen-lockfile - name: Validate commit messages if: github.event_name == 'pull_request' - run: echo "${{ github.event.pull_request.title }}" | bun run commitlint + env: + PR_TITLE: ${{ github.event.pull_request.title }} + run: echo "$PR_TITLE" | bun run commitlint - name: Validate id: validate run: bun run validate