From 6e345493b45817cc01c637b31ff8d32826da72ad Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:13:08 +0000 Subject: [PATCH 1/2] fix(security): prevent prompt injection via issue/PR content in Gemini workflows ISSUE_TITLE and ISSUE_BODY from GitHub events were passed directly as env vars to gemini-cli agents. An attacker can craft an issue/PR with adversarial content that hijacks the agent's behavior (e.g. exfiltrating secrets, posting malicious comments). Fix: remove the env vars and have the agent fetch content via the GitHub API using the issue/PR number, where structured data is separated from prompt instructions. --- .github/workflows/gemini-review.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 80522f0bfeb..481be564d01 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -44,8 +44,9 @@ jobs: id: 'gemini_pr_review' env: GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' - ISSUE_TITLE: '${{ github.event.pull_request.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: passing raw GitHub event + # content as env vars is a prompt-injection vector. The agent should + # fetch PR/issue content via the GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}' REPOSITORY: '${{ github.repository }}' ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' @@ -117,8 +118,9 @@ jobs: id: 'gemini_security_analysis' env: GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' - ISSUE_TITLE: '${{ github.event.pull_request.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: passing raw GitHub event + # content as env vars is a prompt-injection vector. The agent should + # fetch PR/issue content via the GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}' REPOSITORY: '${{ github.repository }}' ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' From ed4c83c046291483a3ffa9dc0187c177f6f24857 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:21:40 +0000 Subject: [PATCH 2/2] fix(security): also remove prompt-injection vars from gemini-plan-execute.yml --- .github/workflows/gemini-plan-execute.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gemini-plan-execute.yml b/.github/workflows/gemini-plan-execute.yml index 29f6da05351..3db78913762 100644 --- a/.github/workflows/gemini-plan-execute.yml +++ b/.github/workflows/gemini-plan-execute.yml @@ -44,8 +44,8 @@ jobs: id: 'run_gemini' uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude env: - TITLE: '${{ github.event.pull_request.title }}' - DESCRIPTION: '${{ github.event.pull_request.body }}' + # TITLE and DESCRIPTION intentionally omitted: prompt-injection vector. + # Agent fetches PR content via GitHub API using ISSUE_NUMBER. EVENT_NAME: '${{ github.event_name }}' GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' IS_PULL_REQUEST: '${{ !!github.event.pull_request }}'