mirror of
https://github.com/different-ai/openwork
synced 2026-04-25 17:15:34 +02:00
86dc0feeb4
The triage-issue job interpolated $ISSUE_TITLE and $ISSUE_BODY unquoted inside a double-quoted shell string, allowing any GitHub user to execute arbitrary commands by opening an issue with shell metacharacters. The duplicate-prs job similarly interpolated $COMMENT unquoted into a gh pr comment --body argument. Fix both by using printf with %s (prevents shell interpretation) and --body-file (avoids inline interpolation entirely). Co-authored-by: xj <gh-xj@users.noreply.github.com>