Skip to content

fix: prevent command injection in format workflow #1618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: prevent command injection in format workflow #1618

Copilot wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Dec 15, 2025
edited
Loading

Description
Command injection vulnerability in format.yml where ADYEN_AUTOMATION_BOT_EMAIL secret was interpolated directly into shell command. If secret contained shell metacharacters, arbitrary code could execute.

Changed from direct interpolation:

run: |
  git config user.email "${{ secrets.ADYEN_AUTOMATION_BOT_EMAIL }}"

To environment variable:

env:
  BOT_EMAIL: ${{ secrets.ADYEN_AUTOMATION_BOT_EMAIL }}
run: |
  git config user.email "$BOT_EMAIL"

Shell treats environment variables as strings, preventing code injection.

Tested scenarios

  • YAML syntax validation passed
  • CodeQL security scan: 0 alerts
  • Reviewed all 8 workflows: no other vulnerabilities found

Fixed issue:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Bug]: Over-privileged Token and Command Injection Risk</issue_title>
<issue_description>### Description

Over-privileged Token and Command Injection Risk

Steps to reproduce

This workflow uses a high-privilege PAT (ADYEN_AUTOMATION_BOT_ACCESS_TOKEN) to automatically commit and push formatting changes. A compromised script or dependency in the mvn spotless:apply step could abuse this token to push malicious code. The script also blindly adds all changes (git add .) without verification.

🛡️ Specific Fix: Prevent Command Injection

The Vulnerability: Untrusted input (like a branch name, PR title, or workflow input) is being inserted directly into a shell command.

❌ Vulnerable Code:

  • run: ./scripts/myscript.sh "${{ github.head_ref }}"

✅ Secure Code:Map the input to an environment variable. The shell will treat the variable as a string, preventing code execution.

  • name: Safe Execution
    env:
    BRANCH_NAME: ${{ github.head_ref }}
    run: ./scripts/myscript.sh "$BRANCH_NAME"

Actual behavior

No response

Expected behavior

xx

Code snippet or screenshots (if applicable)

No response

Adyen Java API Library version

Latest

Java version

11

Operating System

Windows

Additional context

No response</issue_description>

<agent_instructions>Update the workflows that require defining an environment variables that can be passed to a Shell command</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix command injection risk in workflow fix: prevent command injection in format workflow Dec 15, 2025
Copilot AI requested a review from gcatanese December 15, 2025 14:32
@gcatanese gcatanese marked this pull request as ready for review December 15, 2025 15:37
@gcatanese gcatanese requested review from a team as code owners December 15, 2025 15:37
@gcatanese gcatanese added the Fix Indicates a bug fix label Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gcatanese gcatanese gcatanese approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@gcatanese gcatanese

Copilot code review Copilot

Labels

Fix Indicates a bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Over-privileged Token and Command Injection Risk

2 participants

@gcatanese