Fix: Resolve code injection vulnerability in ASH PR comment workflow (#171)

manoj-selvakumar5 · web-flow · commit 08573f6502d7 · 2025-09-23T20:01:24.000-04:00
* feat: add automated ASH security scanning workflow for PRs

* fix: resolve code injection vulnerability in ASH PR comment workflow
diff --git a/.github/workflows/ash-pr-comment.yml b/.github/workflows/ash-pr-comment.yml
@@ -44,6 +44,9 @@ jobs:
       - name: Post comment on PR
         if: steps.pr-info.outputs.pr_number
         uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
+          PR_SHA: ${{ steps.pr-info.outputs.pr_sha }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -56,8 +59,8 @@ jobs:
             }
 
             const commentBody = fs.readFileSync(commentPath, 'utf8');
-            const prNumber = parseInt('${{ steps.pr-info.outputs.pr_number }}');
-            const prSha = '${{ steps.pr-info.outputs.pr_sha }}';
+            const prNumber = parseInt(process.env.PR_NUMBER);
+            const prSha = process.env.PR_SHA;
 
             if (!prNumber) {
               console.log('Invalid PR number');
diff --git a/.github/workflows/ash-pr-security-scan.yml b/.github/workflows/ash-pr-security-scan.yml
@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 concurrency:
   group: ash-${{ github.workflow }}-${{ github.ref }}
@@ -60,32 +59,34 @@ jobs:
 
       - name: Get PR changed files
         if: always()
-        id: get-files
-        run: |
-          echo "Getting changed files for PR..."
-          git fetch origin ${{ github.base_ref }}
-          git diff --name-only origin/${{ github.base_ref }}...HEAD > changed-files.txt
-          echo "Changed files:"
-          cat changed-files.txt
+        id: changed-files
+        uses: tj-actions/changed-files@v46
 
       - name: Create PR files directory for scanning
         if: always()
         run: |
           mkdir -p pr-scan-dir
 
-          # Copy only changed files to scan directory
-          if [ -s changed-files.txt ]; then
-            while IFS= read -r file; do
+          # Save changed files list for Python script
+          changed_files="${{ steps.changed-files.outputs.all_changed_files }}"
+          if [ -n "$changed_files" ]; then
+            echo "$changed_files" | tr ' ' '\n' > changed-files.txt
+            echo "Changed files:"
+            cat changed-files.txt
+
+            # Copy only changed files to scan directory
+            for file in $changed_files; do
               if [ -f "$file" ]; then
                 # Create directory structure
                 mkdir -p "pr-scan-dir/$(dirname "$file")"
                 # Copy the file
                 cp "$file" "pr-scan-dir/$file"
                 echo "Copied: $file"
               fi
-            done < changed-files.txt
+            done
           else
             echo "No files changed in this PR"
+            touch changed-files.txt
           fi
 
           echo "Files to scan:"
