Skip to content

Fix template injection (zizmor alert #118) in e2e-versions.yml#1114

Merged
brunoborges merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-118
Jul 14, 2026
Merged

Fix template injection (zizmor alert #118) in e2e-versions.yml#1114
brunoborges merged 2 commits into
mainfrom
copilot/fix-code-scanning-alert-118

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description:
Resolves a zizmor/template-injection code scanning alert where ${{ steps.setup-java-17.outputs.path }} was interpolated directly into a run shell block, allowing the step output to expand into attacker-controllable code.

Fix moves the expression into a step-level env variable and references it as a plain shell variable:

# Before (vulnerable)
run: |
  if [ "$JAVA_HOME" != "${{ steps.setup-java-17.outputs.path }}" ]; then

# After (safe)
env:
  JAVA_17_PATH: ${{ steps.setup-java-17.outputs.path }}
run: |
  if [ "$JAVA_HOME" != "$JAVA_17_PATH" ]; then

Related issue:
Code scanning alert #118

Check list:

  • Ran npm run check locally (format, lint, build, test) and all checks pass.
  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

Copilot AI changed the title [WIP] Fix code scanning alert #118 Fix template injection (zizmor alert #118) in e2e-versions.yml Jul 14, 2026
Copilot AI requested a review from brunoborges July 14, 2026 19:04
@brunoborges brunoborges marked this pull request as ready for review July 14, 2026 19:36
@brunoborges brunoborges requested a review from a team as a code owner July 14, 2026 19:36
Copilot AI review requested due to automatic review settings July 14, 2026 19:36
@brunoborges brunoborges merged commit 7a475d8 into main Jul 14, 2026
1 check passed
@brunoborges brunoborges deleted the copilot/fix-code-scanning-alert-118 branch July 14, 2026 19:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a zizmor/template-injection risk in the e2e-versions GitHub Actions workflow by removing direct ${{ ... }} interpolation from a bash run: block and routing the value through a step-level environment variable instead.

Changes:

  • Introduces JAVA_17_PATH as a step-level env variable sourced from steps.setup-java-17.outputs.path.
  • Updates the Java 17 JAVA_HOME verification script to compare against $JAVA_17_PATH rather than embedding the expression in the shell script.
Show a summary per file
File Description
.github/workflows/e2e-versions.yml Moves Java 17 output usage into env to avoid direct expression interpolation in a bash run: block.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +725 to +730
env:
JAVA_17_PATH: ${{ steps.setup-java-17.outputs.path }}
run: |
echo "JAVA_HOME=$JAVA_HOME"
echo "Java 17 path=${{ steps.setup-java-17.outputs.path }}"
if [ "$JAVA_HOME" != "${{ steps.setup-java-17.outputs.path }}" ]; then
echo "Java 17 path=$JAVA_17_PATH"
if [ "$JAVA_HOME" != "$JAVA_17_PATH" ]; then
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants