Prevent Script Injection Attack

The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
2 years ago · fe77b196f4
parent 755da8c3cf
commit fe77b196f4
1 changed files with 5 additions and 2 deletions
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@ -16,6 +16,9 @@ on:
 jobs:
  tag:
    runs-on: ubuntu-latest
+    env:
+      TARGET: ${{ github.event.inputs.target }}
+      MAIN_VERSION: ${{ github.event.inputs.main_version }}
    steps:
    - uses: actions/checkout@v3
      with:
@ -25,6 +28,6 @@ jobs:
        git config user.name github-actions
        git config user.email github-actions@github.com
    - name: Tag new target
-      run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }}
+      run: git tag -f "$MAIN_VERSION" "$TARGET"
    - name: Push new tag
-      run: git push origin ${{ github.event.inputs.main_version }} --force
+      run: git push origin "$MAIN_VERSION" --force