3
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2024-11-22 19:29:32 +01:00

Prevent Script Injection Attack

The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
This commit is contained in:
Y. Meyer-Norwood 2022-12-13 11:16:31 +13:00 committed by GitHub
parent 755da8c3cf
commit fe77b196f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -16,6 +16,9 @@ on:
jobs:
tag:
runs-on: ubuntu-latest
env:
TARGET: ${{ github.event.inputs.target }}
MAIN_VERSION: ${{ github.event.inputs.main_version }}
steps:
- uses: actions/checkout@v3
with:
@ -25,6 +28,6 @@ jobs:
git config user.name github-actions
git config user.email github-actions@github.com
- name: Tag new target
run: git tag -f ${{ github.event.inputs.main_version }} ${{ github.event.inputs.target }}
run: git tag -f "$MAIN_VERSION" "$TARGET"
- name: Push new tag
run: git push origin ${{ github.event.inputs.main_version }} --force
run: git push origin "$MAIN_VERSION" --force