fix: prevent shell injection via eval in action.yml and review/action.yml [E-1815]

action.yml

@@ -33,7 +33,7 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-node@v3.6.0
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 18
     - id: run-npx-mobb-dev
@@ -42,55 +42,66 @@ runs:
         REPO=${REPO%".git"}
         BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
 
-        MobbExecString="npx --yes mobbdev@latest analyze --ci -r $REPO --ref $BRANCH --api-key ${{ inputs.api-key }} -f ${{ inputs.report-file }}"
-
+        MOBB_ARGS=(
+          npx --yes mobbdev@latest analyze --ci
+          -r "$REPO"
+          --ref "$BRANCH"
+          --api-key "$MOBB_API_KEY"
+          -f "$REPORT_FILE"
+        )
+
         # Check if mobb-project-name exists and append it
-        if [ -n "${{ inputs.mobb-project-name }}" ]; then
-          echo "mobb-project-name specified: ${{ inputs.mobb-project-name }}"
-          MobbExecString+=" --mobb-project-name \"${{ inputs.mobb-project-name }}\""
+        if [ -n "$MOBB_PROJECT_NAME" ]; then
+          echo "mobb-project-name specified: $MOBB_PROJECT_NAME"
+          MOBB_ARGS+=(--mobb-project-name "$MOBB_PROJECT_NAME")
         fi
 
         # Check if organization-id exists and append it
-        if [ -n "${{ inputs.organization-id }}" ]; then
-          echo "organization-id specified: ${{ inputs.organization-id }}"
-          MobbExecString+=" --organization-id \"${{ inputs.organization-id }}\""
+        if [ -n "$MOBB_ORG_ID" ]; then
+          echo "organization-id specified: $MOBB_ORG_ID"
+          MOBB_ARGS+=(--organization-id "$MOBB_ORG_ID")
         fi
 
         # Check if auto-pr flag is set append it
-        if [ "${{ inputs.auto-pr }}" == "true" ]; then
+        if [ "$AUTO_PR" == "true" ]; then
           echo "Auto-PR flag is set"
-          MobbExecString+=" --auto-pr"
+          MOBB_ARGS+=(--auto-pr)
         fi
 
         # Check if commit-directly flag is set append it to the Mobb CLI command
-        if [ "${{ inputs.commit-directly }}" == "true" ]; then
+        if [ "$COMMIT_DIRECTLY" == "true" ]; then
           echo "Commit Directly flag is set"
-          MobbExecString+=" --commit-directly"
+          MOBB_ARGS+=(--commit-directly)
 
           # Check if the action is running in the context of a pull request
-          if [ -n "${{ github.event.pull_request.number }}" ]; then
-            PR_ID="${{ github.event.pull_request.number }}"
+          PR_ID="${{ github.event.pull_request.number }}"
+          if [ -n "$PR_ID" ]; then
             echo "Pull Request ID detected: $PR_ID"
-            MobbExecString+=" --pr-id $PR_ID"
+            MOBB_ARGS+=(--pr-id "$PR_ID")
           else
             echo "No Pull Request detected. Skipping --pr-id flag."
           fi
         fi
 
-        # Output the final command string for debugging and execute it
-        echo "Mobb Command: $MobbExecString"
-        OUT=$(eval $MobbExecString)
-
+        OUT=$("${MOBB_ARGS[@]}")
+
         RETVAL=$?
         if [ $RETVAL -ne 0 ]; then
           exit $RETVAL
         fi
-        OUT=$(echo $OUT | tr '\n' ' ')
-        echo "fix-report-url=$OUT" >> $GITHUB_OUTPUT
+        OUT=$(echo "$OUT" | tr '\n' ' ')
+        echo "fix-report-url=$OUT" >> "$GITHUB_OUTPUT"
         echo "Mobb URL: $OUT"
-
-      shell: bash -l {0}
-    - uses: Sibz/github-status-action@v1
+
+      shell: bash
+      env:
+        MOBB_API_KEY: ${{ inputs.api-key }}
+        REPORT_FILE: ${{ inputs.report-file }}
+        MOBB_PROJECT_NAME: ${{ inputs.mobb-project-name }}
+        MOBB_ORG_ID: ${{ inputs.organization-id }}
+        AUTO_PR: ${{ inputs.auto-pr }}
+        COMMIT_DIRECTLY: ${{ inputs.commit-directly }}
+    - uses: Sibz/github-status-action@33dcef57b1a833b6a2e50679cd8dece3193c0f03 # v1
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb fix report link"

review/action.yml

@@ -27,58 +27,69 @@ runs:
   using: "composite"
   steps:
     # save report since the checkout step deletes it
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       id: vul-report-upload
       with:
         name: vul-report
         path: ${{ inputs.report-file }}
-        run: echo "Artifact ID is ${{ steps.vul-report-upload.outputs.artifact-id }}"
-        shell: bash -l {0}
 
     # needed since we get wrong hash. this step deletes the report file, so need to save it beforehand
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       name: checkout-to-branch
       with:
         ref: ${{ github.head_ref }}
 
     # restore the report file
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: vul-report
         path: results
 
-    - uses: actions/setup-node@v3.6.0
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 18
 
     - id: run-npx-mobb-dev
       run: |
         REPO=$(git remote get-url origin)
         REPO=${REPO%".git"}
-        GITHUB_TOKEN=${{ inputs.github-token }}
-        SCANNER=${{ inputs.scanner }}
-        COMMIT_HASH=$(git rev-parse $GITHUB_HEAD_REF) 
-        PR_NUMBER=${{ github.event.pull_request.number }}
-        VUL_FILE_PATH=results/$(basename ${{ inputs.report-file }})
-        MobbExecString="npx --yes mobbdev@latest review  -r $REPO --ref $GITHUB_HEAD_REF --ch $COMMIT_HASH --api-key ${{ inputs.api-key }} -f $VUL_FILE_PATH  --pr $PR_NUMBER --github-token ${{ inputs.github-token }} --scanner $SCANNER"
+        COMMIT_HASH=$(git rev-parse "$GITHUB_HEAD_REF")
+        VUL_FILE_PATH="results/$(basename "$REPORT_FILE")"
+        PR_NUMBER="${{ github.event.pull_request.number }}"
+
+        MOBB_ARGS=(
+          npx --yes mobbdev@latest review
+          -r "$REPO"
+          --ref "$GITHUB_HEAD_REF"
+          --ch "$COMMIT_HASH"
+          --api-key "$MOBB_API_KEY"
+          -f "$VUL_FILE_PATH"
+          --pr "$PR_NUMBER"
+          --github-token "$GH_TOKEN"
+          --scanner "$SCANNER"
+        )
 
         # Check if mobb-project-name exists and append it
-        if [ -n "${{ inputs.mobb-project-name }}" ]; then
-          echo "mobb-project-name specified: ${{ inputs.mobb-project-name }}"
-          MobbExecString+=" --mobb-project-name \"${{ inputs.mobb-project-name }}\""
+        if [ -n "$MOBB_PROJECT_NAME" ]; then
+          echo "mobb-project-name specified: $MOBB_PROJECT_NAME"
+          MOBB_ARGS+=(--mobb-project-name "$MOBB_PROJECT_NAME")
         fi
 
-        # Output the final command string for debugging
-        echo "Mobb Command: $MobbExecString"
-        OUT=$(eval $MobbExecString || true)
-        OUT=$(echo $OUT | tr '\n' ' ')
+        OUT=$("${MOBB_ARGS[@]}" || true)
+        OUT=$(echo "$OUT" | tr '\n' ' ')
 
-        echo "fix-report-url=$OUT" >> $GITHUB_OUTPUT
+        echo "fix-report-url=$OUT" >> "$GITHUB_OUTPUT"
         echo "Mobb URL: $OUT"
 
-      shell: bash -l {0}
+      shell: bash
+      env:
+        MOBB_API_KEY: ${{ inputs.api-key }}
+        GH_TOKEN: ${{ inputs.github-token }}
+        SCANNER: ${{ inputs.scanner }}
+        REPORT_FILE: ${{ inputs.report-file }}
+        MOBB_PROJECT_NAME: ${{ inputs.mobb-project-name }}
 
-    - uses: Sibz/github-status-action@v1
+    - uses: Sibz/github-status-action@33dcef57b1a833b6a2e50679cd8dece3193c0f03 # v1
       if: ${{ startsWith(steps.run-npx-mobb-dev.outputs.fix-report-url, 'https://') }}
       with:
         authToken: ${{ inputs.github-token }}