Skip to content

fix(security): unsafe YAML quoting for GH_AW_LABEL_NAMES env var (CodeQL go/unsafe-quoting) #22764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 4 commits into from
Mar 24, 2026
+5 −5
Merged

fix(security): unsafe YAML quoting for GH_AW_LABEL_NAMES env var (CodeQL go/unsafe-quoting) #22764

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b60643f
Initial plan
Copilot Mar 24, 2026
df9c624
fix: use %q instead of single-quoted format for GH_AW_LABEL_NAMES env…
Copilot Mar 24, 2026
d35b9a3
fix(security): use %q instead of single-quoted format for GH_AW_LABEL…
Copilot Mar 24, 2026
f50b703
Merge branch 'main' into copilot/fix-code-scanning-alert-559
pelikhan Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci-doctor.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/cloclo.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/dev.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/smoke-copilot.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/workflow/compiler_activation_job.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,7 @@ func (c *Compiler) buildActivationJob(data *WorkflowData, preActivationJobCreate
if err != nil {
return nil, fmt.Errorf("failed to marshal label-command names: %w", err)
}
steps = append(steps, fmt.Sprintf(" GH_AW_LABEL_NAMES: '%s'\n", string(labelNamesJSON)))
steps = append(steps, fmt.Sprintf(" GH_AW_LABEL_NAMES: %q\n", string(labelNamesJSON)))
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions this change is "consistent with every other JSON env var in the codebase", but there are still other JSON env vars embedded with single-quoted '%s' (e.g., pkg/workflow/compiler_pre_activation_job.go:226 uses %q, but pkg/workflow/compiler_yaml_main_job.go:109 uses '%s' for GH_AW_REPOSITORY_IMPORTS and pkg/workflow/compiler_yaml.go:683 uses '%s' for GH_AW_INFO_ALLOWED_DOMAINS). Consider either adjusting the description, or (as a follow-up) standardizing these remaining JSON env vars to a safe quoting/escaping strategy as well.

Copilot uses AI. Check for mistakes.
steps = append(steps, " with:\n")
// Use GitHub App or custom token if configured (avoids needing elevated GITHUB_TOKEN permissions)
labelToken := c.resolveActivationToken(data)
Expand Down
Loading