chore(security): prevent script and commit-message injections (#512)

olivermeyer · claude · web-flow · commit 24737e05326a · 2026-03-27T12:36:40.000+01:00
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/actions/run-tests/action.yml b/.github/actions/run-tests/action.yml
@@ -30,9 +30,12 @@ runs:
         (!contains(inputs.commit-message, 'skip:test:all')) &&
         (!contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
       shell: bash
+      env:
+        MAKE_TARGET: ${{ inputs.make-target }}
+        SUMMARY_TITLE: ${{ inputs.summary-title }}
       run: |
         set +e
-        make ${{ inputs.make-target }}
+        make $MAKE_TARGET
         EXIT_CODE=$?
         # Show test execution in GitHub Job summary
         found_files=0
@@ -44,7 +47,7 @@ runs:
         fi
         done
         if [ $found_files -eq 0 ]; then
-          echo "# ${{ inputs.summary-title }}" >> $GITHUB_STEP_SUMMARY
+          echo "# $SUMMARY_TITLE" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
         fi
         # Show test coverage in GitHub Job summary
diff --git a/.github/workflows/_package-publish.yml b/.github/workflows/_package-publish.yml
@@ -167,7 +167,9 @@ jobs:
 
       - name: Print the release notes
         shell: bash
-        run: cat "${{ steps.git-cliff.outputs.changelog }}"
+        env:
+          GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
+        run: cat "$GIT_CLIFF_CHANGELOG"
 
       - name: Build distribution into dist/
         shell: bash
@@ -202,23 +204,27 @@ jobs:
           (!contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REF_NAME: ${{ github.ref_name }}
+          GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
         shell: bash
         run: |
           rm -rf ./test-results/coverage_html
-          gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/*   \
-            --notes-file ${{ steps.git-cliff.outputs.changelog }}
+          gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./test-results/* ./audit-results/*   \
+            --notes-file "$GIT_CLIFF_CHANGELOG"
 
       - name: Create GitHub release (no test results)
         if: |
           (contains(inputs.commit_message, 'skip:test:all')) ||
           (contains(github.event.pull_request.labels.*.name, 'skip:test:all'))
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REF_NAME: ${{ github.ref_name }}
+          GIT_CLIFF_CHANGELOG: ${{ steps.git-cliff.outputs.changelog }}
         shell: bash
         run: |
           rm -rf ./test-results/coverage_html
-          gh release create ${{ github.ref_name }} ./dist/* ./dist_native_zipped/* ./audit-results/*   \
-            --notes-file ${{ steps.git-cliff.outputs.changelog }}
+          gh release create "$GH_REF_NAME" ./dist/* ./dist_native_zipped/* ./audit-results/*   \
+            --notes-file "$GIT_CLIFF_CHANGELOG"
 
       - name: Inform Sentry about release
         uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3.5.0
@@ -233,10 +239,12 @@ jobs:
       - name: Convert release notes from Markdown to Slack mrkdwn
         id: slack-notes
         shell: bash
+        env:
+          GIT_CLIFF_CONTENT: ${{ steps.git-cliff.outputs.content }}
         run: |
           # Convert Markdown links [text](url) to Slack mrkdwn <url|text>
           # Convert bold **text** to *text*
-          SLACK_RELEASE_NOTES=$(echo '${{ toJSON(steps.git-cliff.outputs.content) }}' | \
+          SLACK_RELEASE_NOTES=$(printf '%s\n' "$GIT_CLIFF_CONTENT" | \
             sed -E 's/\[([^]]+)\]\(([^)]+)\)/<\2|\1>/g' | \
             sed -E 's/\*\*([^*]+)\*\*/*\1*/g')
           echo "content<<SLACKEOF" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/build-native-only.yml b/.github/workflows/build-native-only.yml
@@ -30,13 +30,17 @@ jobs:
       - name: Get commit message
         id: get-commit-message
         shell: bash
+        env:
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
+          if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
             # For PR events, get the commit message from the PR head SHA
-            COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }})
+            COMMIT_MESSAGE=$(git log -1 --format=%B "$PR_HEAD_SHA")
           else
             # For push events, use the head commit message
-            COMMIT_MESSAGE="${{ github.event.head_commit.message }}"
+            COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE"
           fi
           # Export for use in other steps (multiline-safe)
           # Use printf with %s to avoid interpreting special characters
@@ -56,9 +60,12 @@ jobs:
     steps:
       - name: Check if workflow should run
         id: check
+        env:
+          COMMIT_HAS_MARKER: ${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }}
+          PR_HAS_MARKER: ${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }}
         run: |
-          if [[ "${{ contains(needs.get-commit-message.outputs.commit_message, 'build:native:only') }}" == "true" ]] || \
-            [[ "${{ contains(github.event.pull_request.labels.*.name, 'build:native:only') }}" == "true" ]]; then
+          if [[ "$COMMIT_HAS_MARKER" == "true" ]] || \
+            [[ "$PR_HAS_MARKER" == "true" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
             echo "✅ Workflow triggered: Found 'build:native:only' in commit message or PR labels"
           else
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -43,13 +43,17 @@ jobs:
       - name: Get commit message
         id: get-commit-message
         shell: bash
+        env:
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
+          if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
             # For PR events, get the commit message from the PR head SHA
-            COMMIT_MESSAGE=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }})
+            COMMIT_MESSAGE=$(git log -1 --format=%B $PR_HEAD_SHA)
           else
             # For push events, use the head commit message
-            COMMIT_MESSAGE='${{ github.event.head_commit.message }}'
+            COMMIT_MESSAGE="$HEAD_COMMIT_MESSAGE"
           fi
           # Export for use in other steps (multiline-safe)
           # Use printf with %s to avoid interpreting special characters
