Skip to content

Commit 1b5ed9b

Browse files
github-actions[bot]Code Scanning Fixer BotCopilotpelikhan
authored
[code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JSON data (#11382)
* Fix go/unsafe-quoting: Escape single quotes in JSON data - Add proper shell escaping for JSON data embedded in environment variables - Prevents potential command injection via single quotes in user data - Fixes CodeQL alert #538 (Critical severity) - Uses POSIX-compatible '\''escaping technique Security: Addresses CWE-78, CWE-89, CWE-94 * Replace manual quote escaping with %q format specifier (#11386) * Initial plan * Use %q for JSON escaping in YAML dictionary values Replaced manual single-quote escaping with Go's %q format specifier, which: - Automatically handles all special characters and escaping - Produces cleaner YAML with double quotes instead of single quotes - Follows existing codebase patterns (e.g., add_comment.go) - Simplifies code by removing manual string replacement logic This addresses the feedback to use simpler escaping for JSON data in YAML dictionary values. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Replace manual quote escaping with %q format specifier for YAML encoding (#11392) * Initial plan * Recompile workflows after security fix Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Add changeset [skip-ci] --------- Co-authored-by: Code Scanning Fixer Bot <code-scanning-bot@github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 parent 9b93e3d commit 1b5ed9b

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

.changeset/patch-escape-single-quotes-in-project-views.md

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/workflow/update_project_job.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,8 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string)
4444
if err != nil {
4545
return nil, fmt.Errorf("failed to marshal views configuration: %w", err)
4646
}
47-
customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: '%s'\n", string(viewsJSON)))
47+
// Use %q to properly quote and escape the JSON for YAML
48+
customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON)))
4849
}
4950

5051
jobCondition := BuildSafeOutputType("update_project")

0 commit comments

Comments
 (0)