Fix command injection vulnerability in Github workflow

[arunstar]

github.event.issue.body is potentially untrusted. Avoid using it directly in inline scripts. instead, pass it through an environment variable.

See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details

[github-actions]

	Messages
📖	✨ Thanks for your contribution to Shields, @arunstar!

Generated by 🚫 dangerJS against deae2e3

[jNullj]

LGTM, tested this in my fork, i was able to inject before this change and was not able to do so after them.

I am sorry that i missed this when introducing this new feature.

[jNullj]

@chris48s @calebcartwright Sorry to ping you but this seems to require a quick response

I think its best to report those type of things at security@shields.io and not publicly.
Please notice that SECURITY.md does not directly refer to Github actions/workflow

[arunstar]

Sorry for the oversight. I thought it's a small patch that I could do it myself. will be careful next time.

[jNullj]

To try and estimate the damage made so far i went to the action log at https://github.com/badges/shields/actions/workflows/test-bug-run-badge.yml and checked all runs.
So far it seems no attack was performed. You can see in the logs how the issue appears

[PyvesB]

Thanks for discovering and fixing this issue @arunstar! I'll second @jNullj on how it would have been best to report his, but if you missed it, it may simply be that the policy is not discoverable enough, and that's on us/GitHub. As a quick win, I'll point to the policy in the security label, this will help surface it a little.

Thanks for checking impact @jNullj!

[PyvesB]

As a quick win, I'll point to the policy in the security label, this will help surface it a little.

Another small thing that may help: #9544

[chris48s]

Thanks all 👍 I've raised #9547 as a follow up to this.