mirror of
https://github.com/RT-Thread/rt-thread.git
synced 2026-03-24 09:30:19 +08:00
f78bef1207
Move user-controlled GitHub Actions context expressions (github.event.pull_request.head.ref, head.repo.full_name, pull_request.number, event.action) from direct interpolation in run: blocks to env: variables. Direct interpolation of these values in shell scripts allows attackers to inject arbitrary commands via crafted branch names under pull_request_target, which runs in the base repo context. Using env: variables ensures values are treated as literal strings by the shell, preventing command injection. Ref: https://securitylab.github.com/research/github-actions-untrusted-input/ Reported-by: Wilson Cyber Research (@sourcecodereviewer) Security: expression-injection