diff --git a/.github/workflows/PR-review.yaml b/.github/workflows/PR-review.yaml index 83d480d..b7dc275 100644 --- a/.github/workflows/PR-review.yaml +++ b/.github/workflows/PR-review.yaml @@ -17,10 +17,16 @@ jobs: contains(github.event.comment.body, '/gemini-review') steps: - name: PR Info + env: + #Assign untrusted inputs to environment variables first + COMMENT_BODY: ${{ github.event.comment.body }} + ISSUE_NUM: ${{ github.event.issue.number }} + REPO: ${{ github.repository }} + #Use shell variables ("$VAR") instead of template tags run: | - echo "Comment: ${{ github.event.comment.body }}" - echo "Issue Number: ${{ github.event.issue.number }}" - echo "Repository: ${{ github.repository }}" + echo "Comment: $COMMENT_BODY" + echo "Issue Number: $ISSUE_NUM" + echo "Repository: $REPO" - name: Checkout Repo uses: actions/checkout@v3 @@ -30,17 +36,20 @@ jobs: - name: Get PR Details id: pr - run: | - PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}) - echo "head_sha=$(echo $PR_JSON | jq -r .head.sha)" >> $GITHUB_OUTPUT - echo "base_sha=$(echo $PR_JSON | jq -r .base.sha)" >> $GITHUB_OUTPUT env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} + ISSUE_NUM: ${{ github.event.issue.number }} + #Use env vars for the API call to prevent injection + #Use quotes around variables to prevent word splitting + run: | + PR_JSON=$(gh api "repos/$REPO/pulls/$ISSUE_NUM") + echo "head_sha=$(echo "$PR_JSON" | jq -r .head.sha)" >> $GITHUB_OUTPUT + echo "base_sha=$(echo "$PR_JSON" | jq -r .base.sha)" >> $GITHUB_OUTPUT - uses: truongnh1992/gemini-ai-code-reviewer@main with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} GEMINI_MODEL: gemini-2.5-flash - EXCLUDE: "*.md,*.txt,package-lock.json" - \ No newline at end of file + EXCLUDE: "*.md,*.txt,package-lock.json" \ No newline at end of file