Skip to content

fix(ci): prevent shell injection via github.head_ref#686

Merged
blove merged 1 commit into
mainfrom
blove/fix-dangerous-workflow-injection
Jun 18, 2026
Merged

fix(ci): prevent shell injection via github.head_ref#686
blove merged 1 commit into
mainfrom
blove/fix-dangerous-workflow-injection

Conversation

@blove

@blove blove commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves the OSSF Scorecard Dangerous-Workflow finding (ci.yml:119, score 0 → 10): the api-docs commit-back step interpolated the attacker-controllable PR branch name github.head_ref directly into a run: shell command (git push origin "HEAD:${{ github.head_ref }}").

Fix binds it to an env: var and references "$HEAD_REF", so the value is passed literally and can't break out of the shell context.

Test Plan

  • CI green
  • After merge: Scorecard Dangerous-Workflow → 10

🤖 Generated with Claude Code

@blove @claude
fix(ci): prevent shell injection via github.head_ref in api-docs push
ab6bdd9 
Bind github.head_ref to an env var (HEAD_REF) and reference "$HEAD_REF"
instead of interpolating the PR branch name into the run: script. Resolves
OSSF Scorecard Dangerous-Workflow finding (ci.yml:119).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@blove blove enabled auto-merge (squash) June 18, 2026 18:58
@vercel

vercel Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
threadplane Ready Ready Preview, Comment Jun 18, 2026 7:01pm

Request Review

@blove blove merged commit 5ba6e37 into main Jun 18, 2026
23 of 27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blove