Securely map changed files to environment variable

rm3l · web-flow · commit 2af9d56289cb · 2026-01-29T18:30:05.000+01:00
Vulnerability: Script Injection via Untrusted Input
diff --git a/.github/workflows/check-generated-files.yaml b/.github/workflows/check-generated-files.yaml
@@ -27,11 +27,15 @@ jobs:
 
       - name: Fail if generated files are out of sync
         if: steps.verify-changed-files.outputs.files_changed == 'true'
+        # SECURITY: Map untrusted input to an environment variable.
+        # This prevents the shell from interpreting special characters in filenames as commands.
+        env:
+          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
         run: |
           echo "::error::Generated files are out of sync!"
           echo ""
           echo "The following files need to be regenerated:"
-          echo "${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "$CHANGED_FILES"
           echo ""
           echo "Please run the following commands locally and commit the changes:"
           echo "  make ui-static"
