ControlCore-Project · pradeeban · Feb 13, 2026 · Feb 12, 2026 · Copilot · Feb 12, 2026
diff --git a/.github/workflows/PR-review.yaml b/.github/workflows/PR-review.yaml
@@ -17,10 +17,16 @@ jobs:
       contains(github.event.comment.body, '/gemini-review')
     steps:
       - name: PR Info
+        env:
+        #Assign untrusted inputs to environment variables first
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          ISSUE_NUM: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+        #Use shell variables ("$VAR") instead of template tags
         run: |
-          echo "Comment: ${{ github.event.comment.body }}"
-          echo "Issue Number: ${{ github.event.issue.number }}"
-          echo "Repository: ${{ github.repository }}"
+          echo "Comment: $COMMENT_BODY"
+          echo "Issue Number: $ISSUE_NUM"
+          echo "Repository: $REPO"
 
       - name: Checkout Repo
         uses: actions/checkout@v3
@@ -30,17 +36,20 @@ jobs:
 
       - name: Get PR Details
         id: pr
-        run: |
-          PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }})
-          echo "head_sha=$(echo $PR_JSON | jq -r .head.sha)" >> $GITHUB_OUTPUT
-          echo "base_sha=$(echo $PR_JSON | jq -r .base.sha)" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          ISSUE_NUM: ${{ github.event.issue.number }}
+          #Use env vars for the API call to prevent injection
+          #Use quotes around variables to prevent word splitting
+        run: |
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-          ISSUE_NUM: ${{ github.event.issue.number }}
-          #Use env vars for the API call to prevent injection
-          #Use quotes around variables to prevent word splitting
-        run: |
+          # Use env vars for the API call to prevent injection
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          ISSUE_NUM: ${{ github.event.issue.number }}
+        run: |
+          # Use quotes around variables to prevent word splitting
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-          ISSUE_NUM: ${{ github.event.issue.number }}
-          #Use env vars for the API call to prevent injection
-          #Use quotes around variables to prevent word splitting
-        run: |
+          # Use env vars for the API call to prevent injection
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          ISSUE_NUM: ${{ github.event.issue.number }}
+        run: |
+          # Use quotes around variables to prevent word splitting
+          PR_JSON=$(gh api "repos/$REPO/pulls/$ISSUE_NUM")
+          echo "head_sha=$(echo "$PR_JSON" | jq -r .head.sha)" >> $GITHUB_OUTPUT
+          echo "base_sha=$(echo "$PR_JSON" | jq -r .base.sha)" >> $GITHUB_OUTPUT
 
       - uses: truongnh1992/gemini-ai-code-reviewer@main
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           GEMINI_MODEL: gemini-2.5-flash
-          EXCLUDE: "*.md,*.txt,package-lock.json"
-
+          EXCLUDE: "*.md,*.txt,package-lock.json"