Skip to content

[code-scanning-fix] Fix workflow-graphql-id-unescaped: eliminate string interpolation in GraphQL mutations via variables #40757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 2 commits into from
Jun 22, 2026
+23 −10
Merged

[code-scanning-fix] Fix workflow-graphql-id-unescaped: eliminate string interpolation in GraphQL mutations via variables #40757

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c4b872
fix: escape GraphQL string interpolation in project mutations (CWE-89)
github-actions[bot] Jun 22, 2026
c969477
refactor: use GraphQL variables in project mutations to eliminate str…
Copilot Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions pkg/cli/project_command.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,7 +300,7 @@ func createProject(ctx context.Context, ownerId, title string, verbose bool) (ma
url
}
}
}`, ownerId, escapeGraphQLString(title))
}`, escapeGraphQLString(ownerId), escapeGraphQLString(title))
Comment thread
pelikhan marked this conversation as resolved.
Outdated

output, err := workflow.RunGH("Creating project...", "api", "graphql", "-f", "query="+mutation)
if err != nil {
Expand Down Expand Up @@ -370,7 +370,7 @@ func linkProjectToRepo(ctx context.Context, projectId, repoSlug string, verbose
id
}
}
}`, projectId, repoId)
}`, escapeGraphQLString(projectId), escapeGraphQLString(repoId))

Copilot AI Jun 22, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in the latest commit. Both createProject and linkProjectToRepo (including its repo-ID query) now use static GraphQL query strings with variables passed as separate -f flags to gh api graphql. This eliminates all string interpolation from the query bodies, removing the need for manual escaping in these mutations entirely.


_, err = workflow.RunGH("Linking project to repository...", "api", "graphql", "-f", "query="+mutation)
if err != nil {
Expand Down
Loading