Skip to content

Fix template injection in e2e-versions.yml (alert #123)#1119

Closed
brunoborges with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-scanning-alerts-123
Closed

Fix template injection in e2e-versions.yml (alert #123)#1119
brunoborges with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-scanning-alerts-123

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description:
Resolves a zizmor/template-injection code scanning alert in the "Verify Java 21 outputs are set" workflow step. Inline ${{ steps.setup-java-21.outputs.* }} expressions inside a run shell script are evaluated before the shell sees the string, meaning a malicious output value could inject arbitrary shell commands.

Fix: Move template expressions to the step's env block and reference them as plain shell variables:

# Before (vulnerable)
run: |
  if [ -z "${{ steps.setup-java-21.outputs.version }}" ]; then ...

# After (safe)
env:
  JAVA21_VERSION: ${{ steps.setup-java-21.outputs.version }}
run: |
  if [ -z "$JAVA21_VERSION" ]; then ...

Both outputs.path and outputs.version are moved to env, eliminating direct template expansion inside the shell script.

Related issue:
Code scanning alert #123

Check list:

  • Ran npm run check locally (format, lint, build, test) and all checks pass.
  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

Copilot AI changed the title [WIP] Fix code scanning alert #123 Fix template injection in e2e-versions.yml (alert #123) Jul 14, 2026
Copilot AI requested a review from brunoborges July 14, 2026 19:38
@brunoborges brunoborges marked this pull request as ready for review July 14, 2026 19:56
@brunoborges brunoborges requested a review from a team as a code owner July 14, 2026 19:56
Copilot AI review requested due to automatic review settings July 14, 2026 19:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates a zizmor/template-injection code-scanning alert in the e2e-versions.yml workflow by preventing direct GitHub expression interpolation inside a bash run: script, instead passing step outputs via environment variables.

Changes:

  • Moved ${{ steps.setup-java-21.outputs.path }} and ${{ steps.setup-java-21.outputs.version }} into the step’s env: block.
  • Updated the bash script to reference $JAVA21_PATH and $JAVA21_VERSION (quoted) rather than inline ${{ ... }} expressions.
Show a summary per file
File Description
.github/workflows/e2e-versions.yml Moves Java 21 output references into env to avoid template expansion inside the shell script and reduce injection risk.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants