mirror of
https://github.com/thedotmack/claude-mem
synced 2026-04-25 17:15:04 +02:00
fix: prevent shell injection in summary workflow (#1285)
The gh issue comment command was interpolating the LLM response via
${{ steps.inference.outputs.response }} directly in the shell, allowing
single-quote escaping if the response contained untrusted content.
RESPONSE was already declared as an env var but unused — now using it.
Closes #1285
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Ousama Ben Younes
2
.github/workflows/summary.yml
vendored
2
.github/workflows/summary.yml
vendored
@@ -27,7 +27,7 @@ jobs:
|
||||
|
||||
- name: Comment with AI summary
|
||||
run: |
|
||||
gh issue comment $ISSUE_NUMBER --body '${{ steps.inference.outputs.response }}'
|
||||
gh issue comment "$ISSUE_NUMBER" --body "$RESPONSE"
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
ISSUE_NUMBER: ${{ github.event.issue.number }}
|
||||
|
||||
Reference in New Issue
Block a user