Skip to content

Correct PR description: YAML context not shell injection in code scanning alert #538 #11426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 1 commit into from
Jan 23, 2026
Merged

Correct PR description: YAML context not shell injection in code scanning alert #538 #11426

pelikhan merged 1 commit into from
Jan 23, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

The original PR description incorrectly characterized CodeQL alert #538 as a shell injection vulnerability. The code was generating YAML environment variables, not executing shell commands.

Context Correction

The flagged code in update_project_job.go (lines 42-52):

  • Used %q formatting to embed JSON in YAML environment variable declarations
  • Was suppressed with lgtm[go/unsafe-quoting] explaining it generates YAML, not shell commands
  • CodeQL flagged it because Go's %q escaping doesn't match YAML quoting rules, potentially breaking YAML parsing

Fix Remains Valid

The GH_AW_PROJECT_VIEWS environment variable was never consumed anywhere:

  • No references in JavaScript code (pkg/workflow/js/*.cjs)
  • Views configuration already passed via GH_AW_SAFE_OUTPUTS_PROJECT_HANDLER_CONFIG (compiler_safe_outputs_config.go:602-608)
  • Removing dead code eliminates the alert without affecting functionality

The code change (removing unused env var generation + encoding/json import) is correct. Only the PR description's threat model characterization needed correction.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 23, 2026
Closed
Copilot AI changed the title [WIP] Fix unsafe quoting in YAML environment variable Correct PR description: YAML context not shell injection in code scanning alert #538 Jan 23, 2026
Copilot AI requested a review from pelikhan January 23, 2026 01:53
@pelikhan pelikhan marked this pull request as ready for review January 23, 2026 01:54
@pelikhan pelikhan merged commit ba457fa into fix/code-scanning-alert-538-remove-dead-code-4aa93f2b3d92ad6d Jan 23, 2026
1 check passed
@pelikhan pelikhan deleted the copilot/sub-pr-11424 branch January 23, 2026 01:54
This was referenced Jan 23, 2026
Closed
Merged
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan