From 61c5113998e4ac6a1d4b9017e8803c5215609079 Mon Sep 17 00:00:00 2001
From: Pablo Pettinari <pettinarip@gmail.com>
Date: Mon, 16 Feb 2026 10:21:26 +0100
Subject: [PATCH] fix(ci): complete injection prevention in translation review
 workflow

Move remaining GitHub context values to env blocks to prevent potential
shell injection. Add numeric validation for PR numbers before downstream
usage.

Extends the security fixes from #17560 to cover the "Get PR number" and
"Post acknowledgment" steps that were not addressed in the original PR.
---
 .../workflows/claude-review-translations.yml  | 30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/claude-review-translations.yml b/.github/workflows/claude-review-translations.yml
index eae2993c485..f779aa50173 100644
--- a/.github/workflows/claude-review-translations.yml
+++ b/.github/workflows/claude-review-translations.yml
@@ -83,15 +83,29 @@ jobs:
 
       - name: Get PR number
         id: pr
+        env:
+          # All values moved to env block to prevent shell injection
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "number=${{ github.event.inputs.pr_number }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ github.event_name }}" == "pull_request" || "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
-            echo "number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
+          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            PR_NUM="$INPUT_PR_NUMBER"
+          elif [[ "$EVENT_NAME" == "pull_request" || "$EVENT_NAME" == "pull_request_review_comment" ]]; then
+            PR_NUM="$PR_NUMBER"
           else
-            echo "number=${{ github.event.issue.number }}" >> $GITHUB_OUTPUT
+            PR_NUM="$ISSUE_NUMBER"
           fi
 
+          # Validate PR number is numeric to prevent injection in downstream usage
+          if [[ ! "$PR_NUM" =~ ^[0-9]+$ ]]; then
+            echo "Error: PR number must be numeric, got: $PR_NUM"
+            exit 1
+          fi
+
+          echo "number=$PR_NUM" >> $GITHUB_OUTPUT
+
       - name: Extract flags from comment
         id: parse
         env:
@@ -162,9 +176,11 @@ jobs:
       - name: Post acknowledgment
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.pr.outputs.number }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
         run: |
-          gh pr comment ${{ steps.pr.outputs.number }} --body "$(cat <<EOF
-          :globe_with_meridians: **Translation review started.** [View progress](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+          gh pr comment "$PR_NUMBER" --body "$(cat <<EOF
+          :globe_with_meridians: **Translation review started.** [View progress]($RUN_URL)
           EOF
           )"