From 7636d75a9ddc1163b73010353a2fa1697540f853 Mon Sep 17 00:00:00 2001 From: Agentic Workflow Date: Fri, 23 Jan 2026 01:33:41 +0000 Subject: [PATCH 1/2] fix(security): Remove unused environment variable with unsafe JSON quoting Fixes code scanning alert #538 (go/unsafe-quoting) The code was creating a GH_AW_PROJECT_VIEWS environment variable with JSON data embedded using %q, which CodeQL flagged as unsafe quoting. However, this environment variable was never consumed by any JavaScript code - it was dead code. The actual views configuration is properly passed through the GH_AW_SAFE_OUTPUTS_PROJECT_HANDLER_CONFIG environment variable (see compiler_safe_outputs_config.go:602-608), which uses proper JSON marshaling and %q escaping on line 638. This fix removes the unused code entirely, eliminating the security vulnerability without affecting functionality. CWE-78, CWE-89, CWE-94 --- pkg/workflow/update_project_job.go | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/pkg/workflow/update_project_job.go b/pkg/workflow/update_project_job.go index 03c48ecb007..c53b6292ad6 100644 --- a/pkg/workflow/update_project_job.go +++ b/pkg/workflow/update_project_job.go @@ -1,7 +1,6 @@ package workflow import ( - "encoding/json" "fmt" ) @@ -38,19 +37,6 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string) // The JavaScript code checks process.env.GH_AW_PROJECT_GITHUB_TOKEN to provide helpful error messages customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_GITHUB_TOKEN: %s\n", effectiveToken)) - // If views are configured in frontmatter, pass them to the JavaScript via environment variable - if data.SafeOutputs.UpdateProjects != nil && len(data.SafeOutputs.UpdateProjects.Views) > 0 { - viewsJSON, err := json.Marshal(data.SafeOutputs.UpdateProjects.Views) - if err != nil { - return nil, fmt.Errorf("failed to marshal views configuration: %w", err) - } - // lgtm[go/unsafe-quoting] - This generates YAML environment variable declarations, not shell commands. - // The %q format specifier properly escapes the JSON string for YAML syntax. There is no shell injection - // risk because this value is set as an environment variable in the GitHub Actions YAML configuration, - // not executed as shell code. - customEnvVars = append(customEnvVars, fmt.Sprintf(" GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON))) - } - jobCondition := BuildSafeOutputType("update_project") permissions := NewPermissionsContentsReadProjectsWrite() From ba457fa3a2c59d8b927752877166f998f7fa9cf6 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 17:54:48 -0800 Subject: [PATCH 2/2] Initial plan (#11426)