Skip to content

#3 Fix: Use an intermediate environment variable#8

Open
ndivho-makhuvha wants to merge 3 commits into
masterfrom
fix/shell-injection-risk-inputs-expanded-directly-inside-bash
Open

#3 Fix: Use an intermediate environment variable#8
ndivho-makhuvha wants to merge 3 commits into
masterfrom
fix/shell-injection-risk-inputs-expanded-directly-inside-bash

Conversation

@ndivho-makhuvha
Copy link
Copy Markdown
Collaborator

@ndivho-makhuvha ndivho-makhuvha commented May 28, 2026
edited
Loading

Overview

This contribution fixes a shell injection risk by using use of intermediate environment variables.

Release Notes

  • Fixed shell injection vulnerability: removed direct ${{ inputs.* }} interpolation inside the run: block
  • Inputs are now read exclusively from env vars ($INPUT_CERTIFICATES, $INPUT_WARNING_DAYS) already bound safely via the env: block

Related

Closes #3

@ndivho-makhuvha ndivho-makhuvha requested a review from Copilot May 28, 2026 12:49
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix the composite action’s shell-injection risk by passing action inputs through environment variables before consuming them in Bash.

Changes:

  • Adds env: bindings for certificates and warning_days.
  • Adds input validation for warning_days and JSON array structure.
  • Attempts to replace direct ${{ inputs.* }} usage in the Bash script.

Comment thread action.yml Outdated
Comment thread action.yml
ndivho-makhuvha and others added 2 commits May 28, 2026 14:55
@ndivho-makhuvha
#3 Potential fix for pull request finding
f4f8b3f 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ndivho-makhuvha
#3 Fix warning days to base 10, if users decide to add leading zeros
43596e6
oto-macenauer-absa
oto-macenauer-absa approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@oto-macenauer-absa oto-macenauer-absa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@oto-macenauer-absa oto-macenauer-absa oto-macenauer-absa approved these changes

@miroslavpojer miroslavpojer Awaiting requested review from miroslavpojer miroslavpojer is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Shell injection risk — inputs expanded directly inside bash

3 participants

@ndivho-makhuvha @oto-macenauer-absa