actions/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2024-11-10 04:18:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent Script Injection Attack

Browse Source 
The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
This commit is contained in:
Y. Meyer-Norwood 2022-12-13 11:16:31 +13:00 committed by GitHub
parent 755da8c3cf
commit fe77b196f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/update-main-version.yml vendored
View File

@ -16,6 +16,9 @@ on:
jobs: jobs:
tag: tag:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
TARGET: ${{ github.event.inputs.target }}
MAIN_VERSION: ${{ github.event.inputs.main_version }}
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
with: with:
@ -25,6 +28,6 @@ jobs:
git config user.name github-actions git config user.name github-actions
git config user.email github-actions@github.com git config user.email github-actions@github.com
- name: Tag new target - name: Tag new target
run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }} run: git tag -f "$MAIN_VERSION" "$TARGET"
- name: Push new tag - name: Push new tag
run: git push origin ${{ github.event.inputs.main_version }} --force run: git push origin "$MAIN_VERSION" --force