Skip to content

Harden GH_AW_MCP_CLI_SERVERS shell export to resolve code scanning alert #580#31238

Merged
pelikhan merged 2 commits into
mainfrom
copilot/fix-code-scanning-alerts-580
May 9, 2026
Merged

Harden GH_AW_MCP_CLI_SERVERS shell export to resolve code scanning alert #580#31238
pelikhan merged 2 commits into
mainfrom
copilot/fix-code-scanning-alerts-580

Conversation

Copilot AI commented May 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bug Fix

Alert #580 flagged unsafe shell quoting when emitting GH_AW_MCP_CLI_SERVERS in generated workflow script content. This change applies proper shell argument escaping at the sink so JSON payloads containing quotes cannot break command structure.

  • What was the bug?

    Direct interpolation wrote JSON into shell commands with ad hoc quoting, allowing embedded ' to terminate quotes and corrupt the export/$GITHUB_ENV write path.

  • How did you fix it?

    Applied shellEscapeArg(...) to the marshaled JSON before writing both command lines in writeMCPGatewayExports (pkg/workflow/mcp_setup_generator.go), and used the escaped value consistently for:

    • export GH_AW_MCP_CLI_SERVERS=...
    • echo GH_AW_MCP_CLI_SERVERS=... >> "$GITHUB_ENV"

  • Example (before/after)

escapedCLIServersJSON := shellEscapeArg(string(cliServersJSON))
yaml.WriteString("          export GH_AW_MCP_CLI_SERVERS=" + escapedCLIServersJSON + "\n")
yaml.WriteString("          echo GH_AW_MCP_CLI_SERVERS=" + escapedCLIServersJSON + " >> \"$GITHUB_ENV\"\n")

@pelikhan
Fix shell escaping for GH_AW_MCP_CLI_SERVERS export
dcdb26a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning alert 580 Harden GH_AW_MCP_CLI_SERVERS shell export to resolve code scanning alert #580 May 9, 2026
Copilot AI requested a review from pelikhan May 9, 2026 16:52
@pelikhan pelikhan marked this pull request as ready for review May 9, 2026 16:57
Copilot AI review requested due to automatic review settings May 9, 2026 16:57
Copilot AI reviewed May 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the generated workflow script output to prevent shell-quoting injection when exporting GH_AW_MCP_CLI_SERVERS (fixing code scanning alert #580).

Changes:

  • Shell-escapes the marshaled JSON for GH_AW_MCP_CLI_SERVERS using shellEscapeArg(...).
  • Uses the escaped JSON consistently for both export GH_AW_MCP_CLI_SERVERS=... and writing to $GITHUB_ENV.
Show a summary per file
File Description
pkg/workflow/mcp_setup_generator.go Applies shellEscapeArg to the JSON payload before emitting it into shell export and $GITHUB_ENV append lines.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@pelikhan pelikhan merged commit 4dbb5f6 into main May 9, 2026
4 checks passed
@pelikhan pelikhan deleted the copilot/fix-code-scanning-alerts-580 branch May 9, 2026 17:01
@github-actions github-actions Bot mentioned this pull request May 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan