@@ -17,10 +17,16 @@ jobs:
1717 contains(github.event.comment.body, '/gemini-review')
1818steps :
1919 - name : PR Info
20+ env :
21+ # Assign untrusted inputs to environment variables first
22+ COMMENT_BODY : ${{ github.event.comment.body }}
23+ ISSUE_NUM : ${{ github.event.issue.number }}
24+ REPO : ${{ github.repository }}
25+ # Use shell variables ("$VAR") instead of template tags
2026 run : |
21- echo "Comment: ${{ github.event.comment.body }} "
22- echo "Issue Number: ${{ github.event.issue.number }} "
23- echo "Repository: ${{ github.repository }} "
27+ echo "Comment: $COMMENT_BODY "
28+ echo "Issue Number: $ISSUE_NUM "
29+ echo "Repository: $REPO "
2430
2531name : Checkout Repo
2632 uses : actions/checkout@v3
@@ -30,17 +36,20 @@ jobs:
3036
3137 - name : Get PR Details
3238 id : pr
33- run : |
34- PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }})
35- echo "head_sha=$(echo $PR_JSON | jq -r .head.sha)" >> $GITHUB_OUTPUT
36- echo "base_sha=$(echo $PR_JSON | jq -r .base.sha)" >> $GITHUB_OUTPUT
3739 env :
3840 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
41+ REPO : ${{ github.repository }}
42+ ISSUE_NUM : ${{ github.event.issue.number }}
43+ # Use env vars for the API call to prevent injection
44+ # Use quotes around variables to prevent word splitting
45+ run : |
46+ PR_JSON=$(gh api "repos/$REPO/pulls/$ISSUE_NUM")
47+ echo "head_sha=$(echo "$PR_JSON" | jq -r .head.sha)" >> $GITHUB_OUTPUT
48+ echo "base_sha=$(echo "$PR_JSON" | jq -r .base.sha)" >> $GITHUB_OUTPUT
3949
4050uses : truongnh1992/gemini-ai-code-reviewer@main
4151 with :
4252 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
4353 GEMINI_API_KEY : ${{ secrets.GEMINI_API_KEY }}
4454 GEMINI_MODEL : gemini-2.5-flash
45- EXCLUDE : " *.md,*.txt,package-lock.json"
46-
55+ EXCLUDE : " *.md,*.txt,package-lock.json"
0 commit comments