From cb6c0d0455384daaaac6ca4c02a2fc29abe38f80 Mon Sep 17 00:00:00 2001 From: GitHub Actions Bot Date: Thu, 22 Jan 2026 23:06:21 +0000 Subject: [PATCH 1/2] fix: use base64 encoding for GH_AW_PROJECT_VIEWS to prevent quote injection Fixes code scanning alert #538 - Potentially unsafe quoting (go/unsafe-quoting) **Security Fix**: Replace %q string formatting with base64 encoding for JSON data passed via environment variables to eliminate quote-escaping vulnerabilities. **Root Cause**: The previous implementation used Go's %q format specifier to quote JSON data containing project views configuration. While %q provides backslash escaping, it doesn't fully protect against quote injection if the value is used unsafely in downstream shell commands or SQL queries. **Solution**: Encode the JSON data as base64 before passing it via the GH_AW_PROJECT_VIEWS environment variable. Base64 encoding ensures the value contains only alphanumeric characters and safe symbols (+, /, =), completely eliminating the risk of quote-breaking characters. **Impact**: This is a preventive fix - the environment variable is not currently consumed by JavaScript code, so there is no breaking change. When the JavaScript code is implemented to read this variable, it will need to base64-decode the value before parsing as JSON. **Security Best Practice**: Base64 encoding is the most robust solution for passing arbitrary data through environment variables, as recommended by security experts for preventing injection attacks. Related: CWE-78, CWE-89, CWE-94 --- pkg/workflow/update_project_job.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/workflow/update_project_job.go b/pkg/workflow/update_project_job.go index 0729f3ea35..d2116b4423 100644 --- a/pkg/workflow/update_project_job.go +++ b/pkg/workflow/update_project_job.go @@ -1,6 +1,7 @@ package workflow import ( + "encoding/base64" "encoding/json" "fmt" ) @@ -44,8 +45,11 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string) if err != nil { return nil, fmt.Errorf("failed to marshal views configuration: %w", err) } - // Use %q to properly quote and escape the JSON for YAML - customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON))) + // Encode JSON as base64 to avoid quote-escaping vulnerabilities + // Base64 encoding ensures the value contains no special characters that could break out + // of quotes in downstream processing (shell commands, SQL queries, etc.) + viewsBase64 := base64.StdEncoding.EncodeToString(viewsJSON) + customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %s\n", viewsBase64)) } jobCondition := BuildSafeOutputType("update_project") From e47c83609de829411c733164d745fd8e3c993148 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 15:23:06 -0800 Subject: [PATCH 2/2] Replace base64 encoding with %q formatting and add CodeQL suppression (#11402) * Initial plan * fix: replace base64 encoding with %q formatting and add CodeQL suppression Replace unnecessary base64 encoding with standard %q formatting for GH_AW_PROJECT_VIEWS environment variable. The original security concern was invalid - this code generates YAML environment variable declarations, not shell scripts, so there is no shell injection risk. Added lgtm[go/unsafe-quoting] suppression comment explaining that %q is safe in this context because the value is set as a YAML environment variable, not executed as shell code. Addresses review feedback in #11401. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/update_project_job.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/pkg/workflow/update_project_job.go b/pkg/workflow/update_project_job.go index d2116b4423..03c48ecb00 100644 --- a/pkg/workflow/update_project_job.go +++ b/pkg/workflow/update_project_job.go @@ -1,7 +1,6 @@ package workflow import ( - "encoding/base64" "encoding/json" "fmt" ) @@ -45,11 +44,11 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string) if err != nil { return nil, fmt.Errorf("failed to marshal views configuration: %w", err) } - // Encode JSON as base64 to avoid quote-escaping vulnerabilities - // Base64 encoding ensures the value contains no special characters that could break out - // of quotes in downstream processing (shell commands, SQL queries, etc.) - viewsBase64 := base64.StdEncoding.EncodeToString(viewsJSON) - customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %s\n", viewsBase64)) + // lgtm[go/unsafe-quoting] - This generates YAML environment variable declarations, not shell commands. + // The %q format specifier properly escapes the JSON string for YAML syntax. There is no shell injection + // risk because this value is set as an environment variable in the GitHub Actions YAML configuration, + // not executed as shell code. + customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON))) } jobCondition := BuildSafeOutputType("update_project")