refactor(action): avoid code injection #718
Conversation
|
No linked issues found. Please add the corresponding issues in the pull request description. |
There was a problem hiding this comment.
Pull Request Overview
Refactor GitHub Action to prevent potential code injection vulnerabilities by moving external data from direct string interpolation in JavaScript to environment variables.
- Replaces direct string interpolation of dependabot metadata outputs with environment variable access
- Adds environment variable declarations for action path and dependabot metadata fields
- Modifies JavaScript code to use process.env instead of template literals for external values
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]> Signed-off-by: Frazer Smith <[email protected]>
|
What kind of malicious input are we guarding against, and how does proxying those values through environment variables address the issue? |
Linked code scanning alerts cover this, are you not able to open them? |
Yes, I hadn't seen the links. |
The action contains code injection where values from external sources are directly interpolated into JavaScript code without proper sanitisation.
While these values come from the
dependabot/fetch-metadataaction rather than direct user input, they still represent external data that could potentially contain malicious content if the metadata action were compromised or if dependency names contained special characters that could break JavaScript syntax.Closes https://github.com/fastify/github-action-merge-dependabot/security/code-scanning/9, https://github.com/fastify/github-action-merge-dependabot/security/code-scanning/8, https://github.com/fastify/github-action-merge-dependabot/security/code-scanning/7, and https://github.com/fastify/github-action-merge-dependabot/security/code-scanning/6.