From 0c7e64f094f44d4bf294779d76a42730e43093a8 Mon Sep 17 00:00:00 2001
From: Junpei Tsuji <junpei.tsuji.ams@gmail.com>
Date: Tue, 13 Jan 2026 15:10:53 +0900
Subject: [PATCH] Fix script injection vulnerability in cross-repo-issue
 workflow

The workflow was vulnerable to script injection because
`github.event.pull_request.title` was directly interpolated
into the shell command. An attacker could craft a malicious PR
title to execute arbitrary commands and potentially exfiltrate
the GITHUB_TOKEN.

This fix passes user-controlled inputs via environment variables
instead of direct interpolation, which prevents shell injection.

Reference: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
---
 .github/workflows/cross-repo-issue.yml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cross-repo-issue.yml b/.github/workflows/cross-repo-issue.yml
index 2bea44a301c..57fe3ce2f82 100644
--- a/.github/workflows/cross-repo-issue.yml
+++ b/.github/workflows/cross-repo-issue.yml
@@ -20,9 +20,15 @@ jobs:
         if: "!contains(github.event.pull_request.labels.*.name, 'do not port') && github.event.pull_request.merged"
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          PR_NUMBER: ${{ github.event.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_MERGED_AT: ${{ github.event.pull_request.merged_at }}
         run: |
-          echo -e "A PR was merged over on PBS-Go\n\n- [https://github.com/prebid/prebid-server/pull/${{github.event.number}}](https://github.com/prebid/prebid-server/pull/${{github.event.number}})\n- timestamp: ${{ github.event.pull_request.merged_at}}" > msg
-          export msg=$(cat msg)
-          gh issue create --repo prebid/prebid-server-java --title "Port PR from PBS-Go: ${{ github.event.pull_request.title }}" \
-              --body "$msg" \
+          BODY="A PR was merged over on PBS-Go
+
+          - https://github.com/prebid/prebid-server/pull/${PR_NUMBER}
+          - timestamp: ${PR_MERGED_AT}"
+          gh issue create --repo prebid/prebid-server-java \
+              --title "Port PR from PBS-Go: ${PR_TITLE}" \
+              --body "${BODY}" \
               --label auto