◐ Shell
reader mode source ↗
Skip to content

Resolve template injection on comment command#7546

Merged
youknowone merged 1 commit into
RustPython:mainfrom
ShaharNaveh:comment-commands-inject
Mar 30, 2026
Merged

Resolve template injection on comment command#7546
youknowone merged 1 commit into
RustPython:mainfrom
ShaharNaveh:comment-commands-inject

Conversation

@ShaharNaveh

@ShaharNaveh ShaharNaveh commented Mar 30, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Validated that this version still works by pushing this branch to my main branch and triggering it at ShaharNaveh#53 (comment)

Summary by CodeRabbit

  • Chores
    • Improved GitHub Actions workflow configuration for handling issue assignments through enhanced environment variable management.

@coderabbitai

coderabbitai Bot commented Mar 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

A GitHub Actions workflow step that assigns issues now retrieves the assignee username via a step-level environment variable instead of direct template interpolation in the JSON payload. The env: block sets USER to the commenter's login, and the curl request references this variable.

Changes

Cohort / File(s) Summary
Workflow Configuration
.github/workflows/comment-commands.yml		 Refactored issue assignment step to source assignee username through an env: block setting USER to the commenter's login, updating the curl request to reference ${{ env.USER }} instead of direct interpolation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

Suggested reviewers

  • youknowone

Poem

🐰 Hop, hop, variables bloom,
In workflows bright, no more gloom,
Env blocks neat, so clean and tight,
Assignees dance in perfect light!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Resolve template injection on comment command' accurately describes the main change: fixing a template injection vulnerability by moving the variable interpolation from inside the JSON payload to a step-level environment variable.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Mar 30, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/comment-commands.yml:
- Around line 21-23: Replace the compile-time interpolation of ${{ env.USER }}
in the curl payload with a runtime-built, JSON-encoded payload using the shell
USER variable; specifically, stop using `${{ env.USER }}` inside the curl -d
string in the curl invocation and instead construct the JSON at runtime (e.g.,
use jq or another JSON encoder to create '{"assignees":["<user>"]}' from the
shell $USER) and pass that encoded payload to curl; change the step that sets
env: USER and the curl invocation in .github/workflows/comment-commands.yml so
the JSON is built and escaped by the runner (refer to the USER env variable and
the curl -d invocation in the file).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: c688521f-dae5-4a95-ab77-25e077a517b1

📥 Commits

Reviewing files that changed from the base of the PR and between 2703f94 and f81eebf.

📒 Files selected for processing (1)
  • .github/workflows/comment-commands.yml

Hide details View details @youknowone youknowone merged commit 611b122 into RustPython:main Mar 30, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@youknowone youknowone youknowone approved these changes

Assignees

No one assigned

Labels

skip:ci Skip running the ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ShaharNaveh @youknowone @github-advanced-security