Skip to content

Commit ce91b03

Browse files
CopilotMalcolmnixon
Copilot
and
Malcolmnixon
committed
Fix JSON injection vulnerability by using JsonSerializer
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
1 parent ba5a8bb commit ce91b03

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

src/DemaConsulting.BuildMark/RepoConnectors/GitHubRepoConnector.cs

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -591,8 +591,11 @@ private static async Task<IReadOnlyList<Release>> GetAllReleasesAsync(
591591
// This creates minimal Release objects with only TagName populated
592592
return releaseTagNames.Select(tagName =>
593593
{
594-
var json = $$"""{"tag_name":"{{tagName}}"}""";
595-
return Newtonsoft.Json.JsonConvert.DeserializeObject<Release>(json) ?? throw new InvalidOperationException($"Failed to create Release object for tag {tagName}");
594+
// Use JsonConvert with a proper object to avoid JSON injection
595+
var releaseData = new { tag_name = tagName };
596+
var json = Newtonsoft.Json.JsonConvert.SerializeObject(releaseData);
597+
var release = Newtonsoft.Json.JsonConvert.DeserializeObject<Release>(json);
598+
return release ?? throw new InvalidOperationException($"Failed to create Release object for tag {tagName}");
596599
}).ToList();
597600
}
598601

0 commit comments

Comments
 (0)