Fix template injection vulnerabilities in Setup MCPs steps

[Copilot]

Template expressions in "Setup MCPs" steps were expanded directly in shell scripts (within TOML/JSON config files), creating code injection vulnerabilities. Fixed by moving template expansions to environment variables and referencing them using shell variable syntax.

Changes

Modified 5 files:

1. pkg/workflow/mcp-config.go - TOML config generation

   • renderSafeOutputsMCPConfigTOML(): Changed 6 env vars from "${{ env.VAR }}" → "${VAR}"
   • renderAgenticWorkflowsMCPConfigTOML(): Changed "${{ secrets.GITHUB_TOKEN }}" → "${GH_AW_GITHUB_TOKEN_FOR_AGENTIC_WORKFLOWS}"
   • renderSharedMCPConfig(): Added expression extraction/replacement for all MCP tool args

2. pkg/workflow/codex_engine.go - GitHub MCP config

   • Changed GITHUB_PERSONAL_ACCESS_TOKEN = "${{ secrets... }}" → "${GITHUB_MCP_SERVER_TOKEN}"

3. pkg/workflow/mcp_servers.go - Environment variable setup

   • Added GITHUB_REPOSITORY and GITHUB_SERVER_URL to safe-outputs env block
   • Added extractExpressionsFromMCPToolArgs() to handle custom MCP tool arg expressions
   • Added extracted env vars to Setup MCPs env block

Updated test expectations in codex_engine_test.go and mcp_config_refactor_test.go to match new format.

Example

Before:

- name: Setup MCPs
  run: |
    cat > config.toml << EOF
    [mcp_servers.github.env]
    GITHUB_PERSONAL_ACCESS_TOKEN = "${{ secrets.GH_AW_GITHUB_TOKEN }}"
    EOF

After:

- name: Setup MCPs
  env:
    GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
  run: |
    cat > config.toml << EOF
    [mcp_servers.github.env]
    GITHUB_PERSONAL_ACCESS_TOKEN = "${GITHUB_MCP_SERVER_TOKEN}"
    EOF

Template expressions now only appear in the env: block, preventing shell injection.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[task] Fix template injection vulnerabilities in Setup MCPs steps</issue_title>
<issue_description>## Objective
Add input validation and use intermediate variables to prevent template injection in "Setup MCPs" steps across affected workflows.

Context

Template expansion without validation in "Setup MCPs" steps creates code injection vulnerabilities (LOW severity). This affects 8 occurrences across 3 workflows. While low severity, these should be fixed to prevent potential exploitation.

Related to discussion #3120 - Static Analysis Report finding #3.

Approach

1. Identify all template expansions in "Setup MCPs" steps
2. Add input validation for template variables
3. Use intermediate environment variables instead of direct template expansion
4. Follow the pattern: assign to env var, then use the env var in script

Files to Modify

• .github/workflows/duplicate-code-detector.md - Fix 4 template injection occurrences
• .github/workflows/mcp-inspector.md - Fix 1 template injection occurrence
• .github/workflows/smoke-codex.md - Fix 4 template injection occurrences
• Recompile all affected workflows with gh aw compile

Example Fix Pattern

# Before (vulnerable)
- name: Setup MCPs
  run: |
    echo "Processing ${{ inputs.value }}"

# After (safe)
- name: Setup MCPs
  env:
    VALIDATED_INPUT: ${{ inputs.value }}
  run: |
    echo "Processing $VALIDATED_INPUT"

Acceptance Criteria

• All 8 template injection occurrences fixed
• Template inputs assigned to environment variables first
• Scripts use environment variables instead of direct expansion
• All workflows compile successfully
• Zizmor scan shows no template-injection findings for these workflows
  Related to 🔍 Static Analysis Report - November 4, 2025 #3120

AI generated by Plan Command for discussion #3120</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [task] Fix template injection vulnerabilities in Setup MCPs steps #3125

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.