Commit fe4d102
Mitigate template injection in release workflow (#325)
Pass `inputs.working_directory` and `github.ref_name` to the
"Validate release version" step through environment variables instead
of interpolating `${{ ... }}` expressions directly into the `run`
shell command. `github.ref_name` is attacker-influenceable, so direct
interpolation allowed shell/command injection.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent f5847f9 commit fe4d102
1 file changed
Lines changed: 4 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
48 | 51 | | |
49 | 52 | | |
50 | 53 | | |
| |||
0 commit comments