🌱 fix script injection (#3695)

Thanks to @AdnaneKhan for the report. * start with reporter patch * use env variable for bash step too Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-08-15 19:30:40 +03:00 · 2023-11-27 15:10:51 -08:00 · 2023-11-27 15:10:51 -08:00 · 84bd607ae8
commit 84bd607ae8
parent f8198b0621
1 changed files with 6 additions and 11 deletions
--- a/.github/workflows/scdiff.yml
+++ b/.github/workflows/scdiff.yml
@ -49,15 +49,10 @@ jobs:
          https://gitlab.com/baserow/baserow
          https://gitlab.com/cryptsetup/cryptsetup
          EOF
-      # use shell syntax to escape, since the checks arg goes to CLI when calling scdiff
-      - name: escape comment body
-        id: comment
-        env:
-          BODY: ${{ github.event.comment.body }}
-        run: |
-          echo "body=$BODY" >> $GITHUB_OUTPUT
      - name: configure scdiff
        id: config
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
@ -76,13 +71,13 @@ jobs:
            core.setOutput('head', response.data.head.sha)

            checks = '""'
-            const commentBody = '${{ steps.comment.outputs.body }}'
+            const commentBody = process.env.COMMENT_BODY
            const regex = /\/scdiff generate ([^ ]+)/;
            const found = commentBody.match(regex);
            if (found && found.length == 2) {
              checks = found[1]
            }
-            core.setOutput('checks', checks)
+            core.exportVariable('SCORECARD_CHECKS', checks)
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ steps.config.outputs.base }}
@ -98,7 +93,7 @@ jobs:
        run: |
          go run cmd/internal/scdiff/main.go generate \
            --repos $HOME/repos.txt \
-            --checks ${{ steps.config.outputs.checks }} > $HOME/before.json
+            --checks $SCORECARD_CHECKS > $HOME/before.json
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ steps.config.outputs.head }}
@ -109,7 +104,7 @@ jobs:
        run: |
          go run cmd/internal/scdiff/main.go generate \
            --repos $HOME/repos.txt \
-            --checks ${{ steps.config.outputs.checks }} > $HOME/after.json
+            --checks $SCORECARD_CHECKS > $HOME/after.json
      - name: compare results
        run: |
          go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json