From d0cb1170342beaccc3ff0fd838f28a8072d464bf Mon Sep 17 00:00:00 2001
From: "chengyu.yu" <chengyu.yu@appier.com>
Date: Wed, 1 Apr 2026 16:17:10 +0800
Subject: [PATCH 1/3] Add PoC workflow for expression injection test

---
 .github/workflows/poc-injection.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/workflows/poc-injection.yml

diff --git a/.github/workflows/poc-injection.yml b/.github/workflows/poc-injection.yml
new file mode 100644
index 0000000..7a8bba9
--- /dev/null
+++ b/.github/workflows/poc-injection.yml
@@ -0,0 +1,16 @@
+name: PoC - Expression Injection
+
+on:
+  pull_request:
+    types: [opened, closed]
+
+jobs:
+  vulnerable_job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Vulnerable step - same pattern as Send_message_to_slack.yml
+        run: |
+          echo "=== PoC: GitHub Actions Expression Injection ==="
+          echo "PR_TITLE=${{ github.event.pull_request.title }}"
+          echo "HEAD_REF=${{ github.head_ref }}"
+          echo "=== If you see RCE_PROVEN below, injection works ==="

From a0528dac1bdc981f6951129467e366d013cc9a0d Mon Sep 17 00:00:00 2001
From: "chengyu.yu" <chengyu.yu@appier.com>
Date: Wed, 1 Apr 2026 16:21:22 +0800
Subject: [PATCH 2/3] PoC: expression injection test


From 5f5e7d4e2fff1936bfbaf3656076cc4d284de756 Mon Sep 17 00:00:00 2001
From: "chengyu.yu" <chengyu.yu@appier.com>
Date: Wed, 1 Apr 2026 16:22:10 +0800
Subject: [PATCH 3/3] PoC: expression injection via branch name