From fe77b196f4824137f0a7d8c1e6a2f443dbd4f7b3 Mon Sep 17 00:00:00 2001 From: "Y. Meyer-Norwood" <106889957+norwd@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:16:31 +1300 Subject: [PATCH] Prevent Script Injection Attack The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable --- .github/workflows/update-main-version.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml index c1e046a..c4379e0 100644 --- a/.github/workflows/update-main-version.yml +++ b/.github/workflows/update-main-version.yml @@ -16,6 +16,9 @@ on: jobs: tag: runs-on: ubuntu-latest + env: + TARGET: ${{ github.event.inputs.target }} + MAIN_VERSION: ${{ github.event.inputs.main_version }} steps: - uses: actions/checkout@v3 with: @@ -25,6 +28,6 @@ jobs: git config user.name github-actions git config user.email github-actions@github.com - name: Tag new target - run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }} + run: git tag -f "$MAIN_VERSION" "$TARGET" - name: Push new tag - run: git push origin ${{ github.event.inputs.main_version }} --force + run: git push origin "$MAIN_VERSION" --force