Potential fix for code scanning alert no. 2: Code injection

[ajay-dhangar]

Potential fix for https://github.com/codeharborhub/dsa/security/code-scanning/2

In general, to fix this kind of problem in GitHub Actions you should avoid referencing untrusted github.* values directly inside shell scripts via ${{ ... }}. Instead, pass those values into the step as environment variables, and then read them using the shell’s native environment variable syntax (e.g., $ISSUE_BODY). This ensures the Actions expression engine only substitutes values in a safe context and reduces the risk of subtle parsing or injection issues in the shell.

For this specific workflow, the unsafe usage occurs where issue_body is assigned using ${{ github.event.issue.body }} in the Validate Issue Content step (line 37) and again in the Check for Security and Trust step (line 45). The best fix without changing functionality is:

• Add an env: section to each of these two steps, defining e.g. ISSUE_BODY: ${{ github.event.issue.body }}.
• In the run: script blocks, replace issue_body="${{ github.event.issue.body }}" with issue_body="$ISSUE_BODY" (or just use $ISSUE_BODY directly in the conditions).

This keeps the logic identical (still checking for disallowed phrases and for mentions of “security” and “trust”) while following GitHub’s recommended pattern. No new imports or external tools are needed; changes are confined to .github/workflows/issue_creation_workflow.yml in those two steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Great job, @ajay-dhangar! 🎉 Thank you for submitting your pull request to CodeHarborHub. We appreciate your contribution and enthusiasm! Our team will review it soon. If you have any questions or need further assistance, feel free to reach out. Thanks for contributing!