From 0249785911be1b915a160e052c1f51f002dfaf05 Mon Sep 17 00:00:00 2001 From: Deatcu Andrei-Cristian Date: Fri, 7 Nov 2025 15:33:16 +0200 Subject: [PATCH] Fix vulnerability in issue creation workflow --- .github/workflows/issues.yml | 88 +++++++++++++++--------------------- 1 file changed, 37 insertions(+), 51 deletions(-) diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 238a261..96ebdfc 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -3,6 +3,14 @@ on: issues: types: [ opened, reopened ] +env: + ISSUE_CREATOR: ${{ github.event.issue.user.login }} + ISSUE_TITLE: ${{ github.event.issue.title }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + ISSUE_URL: ${{ github.event.issue.html_url }} + ISSUE_LABELS: "- ${{ join(github.event.issue.labels.*.name) }}" + GITHUB_REPO: ${{ github.repository }} + jobs: build: runs-on: ubuntu-latest @@ -10,59 +18,37 @@ jobs: steps: - name: Git Issue Details run: | - echo "Issue creator: ${{ github.event.issue.user.login }}" - echo "Issue title: ${{ github.event.issue.title }}" - echo "Issue number: ${{ github.event.issue.number }}" - echo "Issue url: ${{ github.event.issue.html_url }}" + echo "Issue creator: $ISSUE_CREATOR" + echo "Issue title: $ISSUE_TITLE" + echo "Issue number: $ISSUE_NUMBER" + echo "Issue url: $ISSUE_URL" - name: Google Chat Notification run: | - curl --location --request POST '${{ secrets.ISSUE_TRACKER_WEBHOOK }}' \ - --header 'Content-Type: application/json' \ - --data-raw '{ + payload=$(jq -n \ + --arg title "$ISSUE_TITLE" \ + --arg subtitle "Issue No: #$ISSUE_NUMBER" \ + --arg repo "$GITHUB_REPO" \ + --arg labels "$ISSUE_LABELS" \ + --arg url "$ISSUE_URL" \ + '{ "cards": [ - { - "header": { - "title": "New Issue 🔨", - "subtitle": "Issue No: #${{ github.event.issue.number }}" - }, - "sections": [ - { - "widgets": [ - { - "keyValue": { - "topLabel": "Repository", - "content": "${{ github.repository }}" - }, - }, - { - "keyValue": { - "topLabel": "Title", - "content": "${{ github.event.issue.title }}" - } - }, - { - "keyValue": { - "topLabel": "Assigned Labels", - "content": "- ${{ join(github.event.issue.labels.*.name) }}" - } - }, - { - "buttons": [ - { - "textButton": { - "text": "OPEN ISSUE", - "onClick": { - "openLink": { - "url": "${{ github.event.issue.html_url }}" - } - } - } - } - ] - } - ] - } + { + "header": { "title": "New Issue 🔨", "subtitle": $subtitle }, + "sections": [ + { + "widgets": [ + { "keyValue": { "topLabel": "Repository", "content": $repo } }, + { "keyValue": { "topLabel": "Title", "content": $title } }, + { "keyValue": { "topLabel": "Assigned Labels", "content": $labels } }, + { "buttons": [ { "textButton": { "text": "OPEN ISSUE", "onClick": { "openLink": { "url": $url } } } } ] } ] - } + } + ] + } ] - }' + }') + + curl --location --request POST '${{ secrets.ISSUE_TRACKER_WEBHOOK }}' \ + --header 'Content-Type: application/json' \ + --data-raw "$payload" +