From 52820a0d8464f5898e11f9e4dc7543e8255e78a1 Mon Sep 17 00:00:00 2001
From: fg0x0 <fg0x0@users.noreply.github.com>
Date: Mon, 8 Jun 2026 16:59:39 +0800
Subject: [PATCH] fix: randomize heredoc delimiter in GITHUB_OUTPUT writes

Replace fixed 'EOF' heredoc delimiter with a random per-invocation
delimiter (ghdelim_<random>) when writing gemini_response and
gemini_errors to $GITHUB_OUTPUT.

The fixed 'EOF' delimiter allows an LLM response containing a bare
'EOF' line to close the heredoc early. Subsequent name=value lines
in the response then become arbitrary step outputs, enabling bash
injection in any downstream consumer workflow that interpolates
${{ steps.gemini_run.outputs.X }} into a run: block.

This follows the canonical pattern from GitHub's official docs:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings

Fixes the vulnerability described in:
- Google VRP Issue #514026965
- Related to GHSA-62f2-6rx8-v262 (TOML template fix)

Present since v0.1.12 (PR #247, 2025-08-25).
---
 action.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/action.yml b/action.yml
index 35af14fe7..da92b2736 100644
--- a/action.yml
+++ b/action.yml
@@ -350,22 +350,24 @@ runs:
 
 
         # Set the captured response as a step output, supporting multiline
-        echo "gemini_response<<EOF" >> "${GITHUB_OUTPUT}"
+        _DELIM_RESP="ghdelim_$(openssl rand -hex 16)"
+        echo "gemini_response<<${_DELIM_RESP}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${RESPONSE}" ]]; then
           echo "${RESPONSE}" >> "${GITHUB_OUTPUT}"
         else
           cat "${TEMP_STDOUT}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${_DELIM_RESP}" >> "${GITHUB_OUTPUT}"
 
         # Set the captured errors as a step output, supporting multiline
-        echo "gemini_errors<<EOF" >> "${GITHUB_OUTPUT}"
+        _DELIM_ERR="ghdelim_$(openssl rand -hex 16)"
+        echo "gemini_errors<<${_DELIM_ERR}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${ERROR_JSON}" ]]; then
           echo "${ERROR_JSON}" >> "${GITHUB_OUTPUT}"
         else
           cat "${TEMP_STDERR}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${_DELIM_ERR}" >> "${GITHUB_OUTPUT}"
 
         # Generate Job Summary
         if [[ -n "${GITHUB_STEP_SUMMARY:-}" ]]; then