Commit 1f02a38
fg0x0
fix: randomize heredoc delimiter in GITHUB_OUTPUT writes
Replace fixed 'EOF' heredoc delimiter with a random per-invocation
delimiter (ghdelim_<random>) when writing gemini_response and
gemini_errors to $GITHUB_OUTPUT.
The fixed 'EOF' delimiter allows an LLM response containing a bare
'EOF' line to close the heredoc early. Subsequent name=value lines
in the response then become arbitrary step outputs, enabling bash
injection in any downstream consumer workflow that interpolates
${{ steps.gemini_run.outputs.X }} into a run: block.
This follows the canonical pattern from GitHub's official docs:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings
Fixes the vulnerability described in:
- Google VRP Issue #514026965
- Related to GHSA-62f2-6rx8-v262 (TOML template fix)
Present since v0.1.12 (PR #247, 2025-08-25).1 parent 055c24c commit 1f02a38
1 file changed
Lines changed: 6 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
350 | 350 | | |
351 | 351 | | |
352 | 352 | | |
353 | | - | |
| 353 | + | |
| 354 | + | |
354 | 355 | | |
355 | 356 | | |
356 | 357 | | |
357 | 358 | | |
358 | 359 | | |
359 | | - | |
| 360 | + | |
360 | 361 | | |
361 | 362 | | |
362 | | - | |
| 363 | + | |
| 364 | + | |
363 | 365 | | |
364 | 366 | | |
365 | 367 | | |
366 | 368 | | |
367 | 369 | | |
368 | | - | |
| 370 | + | |
369 | 371 | | |
370 | 372 | | |
371 | 373 | | |
| |||
0 commit comments