Skip to content

fixed-remote-url#1

Open
Shubhamservaapty wants to merge 2 commits intomainfrom
bugfix/LSP-24097/fixed-remote-url
Open

fixed-remote-url#1
Shubhamservaapty wants to merge 2 commits intomainfrom
bugfix/LSP-24097/fixed-remote-url

Conversation

@Shubhamservaapty
Copy link

@Shubhamservaapty Shubhamservaapty commented Feb 4, 2025

Removed remotely hosted URL

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2025
View reviewed changes
.github/workflows/config.yaml
Comment on lines +73 to +83
run: |
cp package.json ./build
cd build
git init
git config user.email "admin@apty.io"
git config user.name "git-ci"
git add .
git commit -m "${{needs.rules.outputs.branch_name}}-${{github.event.head_commit.message}}" -a
git remote add origin "git@github.com:aptyInc/tinymce-react.git"
git checkout -b "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"
git push origin "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"

Check failure

Code scanning / CodeQL

Expression injection in Actions Critical

Potential injection from the ${{ github.event.head_commit.message }}, which may be controlled by an external user.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to avoid using user-controlled input directly in the run command. Instead, we should set the untrusted input value to an intermediate environment variable and then use the environment variable using the native shell syntax. This will prevent any potential code injection.

Specifically, we will:

  1. Set the branch_name and commit_message to environment variables.
  2. Use these environment variables in the run command using shell syntax.
Suggested changeset 1
.github/workflows/config.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/config.yaml b/.github/workflows/config.yaml
--- a/.github/workflows/config.yaml
+++ b/.github/workflows/config.yaml
@@ -72,2 +72,6 @@
       - name: Commit code for tinymce-react
+        env:
+          BRANCH_NAME: ${{ needs.rules.outputs.branch_name }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          GITHUB_SHA: ${{ github.sha }}
         run: |
@@ -79,6 +83,6 @@
           git add .
-          git commit -m "${{needs.rules.outputs.branch_name}}-${{github.event.head_commit.message}}" -a
+          git commit -m "${BRANCH_NAME}-${COMMIT_MESSAGE}" -a
           git remote add origin "git@github.com:aptyInc/tinymce-react.git"
-          git checkout -b "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"
-          git push origin "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"
+          git checkout -b "${BRANCH_NAME}-${GITHUB_SHA}"
+          git push origin "${BRANCH_NAME}-${GITHUB_SHA}"
   notifications:
EOF
@@ -72,2 +72,6 @@
- name: Commit code for tinymce-react
env:
BRANCH_NAME: ${{ needs.rules.outputs.branch_name }}
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
GITHUB_SHA: ${{ github.sha }}
run: |
@@ -79,6 +83,6 @@
git add .
git commit -m "${{needs.rules.outputs.branch_name}}-${{github.event.head_commit.message}}" -a
git commit -m "${BRANCH_NAME}-${COMMIT_MESSAGE}" -a
git remote add origin "git@github.com:aptyInc/tinymce-react.git"
git checkout -b "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"
git push origin "${{needs.rules.outputs.branch_name}}-${{ github.sha }}"
git checkout -b "${BRANCH_NAME}-${GITHUB_SHA}"
git push origin "${BRANCH_NAME}-${GITHUB_SHA}"
notifications:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shubhamservaapty