Merge pull request from GHSA-ghm2-rq8q-wrhc

* feat: add `safe_output` input enabled by default

* fix: migrate README to safe uses of interpolation

* fix: also sanitize `)`

* fix: remove sanitization of `'`

* fix: also sanitize `|`

* fix: also sanitize `&`

* fix: also sanitize `;`

README.md

@@ -60,6 +60,7 @@ Verify that certain files or directories did or did not change during the workfl
         uses: tj-actions/verify-changed-files@v16
         id: verify-changed-files
         with:
+          safe_output: false # true by default, set to false because we are using an environment variable to store the output and avoid command injection.
           files: |
              *.txt
              test_directory
@@ -69,8 +70,11 @@ Verify that certain files or directories did or did not change during the workfl
 
       - name: Run step only when any of the above files change.
         if: steps.verify-changed-files.outputs.files_changed == 'true'
+        env:
+          FILES_CHANGED: |-
+            ${{ steps.verify-changed-files.outputs.changed_files }}
         run: |
-          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "Changed files: $FILES_CHANGED"
         # Outputs: "Changed files: new.txt test_directory/new.txt"
 ```
 
@@ -82,6 +86,7 @@ Verify that certain files or directories did or did not change during the workfl
         uses: tj-actions/verify-changed-files@v16
         id: verify-changed-files
         with:
+          safe_output: false
           files: |
              new.txt
              test_directory
@@ -99,10 +104,15 @@ Verify that certain files or directories did or did not change during the workfl
       - name: Verify Changed files
         uses: tj-actions/verify-changed-files@v16
         id: verify-changed-files
+        with:
+          safe_output: false
 
       - name: List all changed files tracked and untracked files
+        env:
+          FILES_CHANGED: |-
+            ${{ steps.verify-changed-files.outputs.changed_files }}
         run: |
-          echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
+          echo "Changed files: $FILES_CHANGED"
 ```
 
 If you feel generous and want to show some extra appreciation:

action.yml

@@ -25,6 +25,10 @@ inputs:
     description: 'Message to display when files have changed and the `fail-if-changed` input is set to `true`.'
     default: "Files have changed."
     required: false
+  safe_output:
+    description: "Apply sanitization to output filenames before being set as output."
+    required: false
+    default: "true"
 
 outputs:
   files_changed:
@@ -61,6 +65,7 @@ runs:
         INPUT_MATCH_GITIGNORE_FILES: ${{ inputs.match-gitignore-files }}
         INPUT_FAIL_IF_CHANGED: ${{ inputs.fail-if-changed }}
         INPUT_FAIL_MSG: ${{ inputs.fail-message }}
+        INPUT_SAFE_OUTPUT: ${{ inputs.safe_output }}
 
 branding:
   icon: file-text

entrypoint.sh

@@ -66,6 +66,16 @@ if [[ -n "$CHANGED_FILES" ]]; then
 
   CHANGED_FILES=$(echo "$CHANGED_FILES" | awk '{gsub(/\|/,"\n"); print $0;}' | awk -v d="$INPUT_SEPARATOR" '{s=(NR==1?s:s d)$0}END{print s}')
 
+  if [[ "$INPUT_SAFE_OUTPUT" == "true" ]]; then
+    CHANGED_FILES=${CHANGED_FILES//$/\\$} # Replace $ with \$
+    CHANGED_FILES=${CHANGED_FILES//\(/\\\(}} # Replace ( with \(
+    CHANGED_FILES=${CHANGED_FILES//\)/\\\)}} # Replace ) with \)
+    CHANGED_FILES=${CHANGED_FILES//\`/\\\`} # Replace ` with \`
+    CHANGED_FILES=${CHANGED_FILES//|/\\|} # Replace | with \|
+    CHANGED_FILES=${CHANGED_FILES//&/\\&} # Replace & with \&
+    CHANGED_FILES=${CHANGED_FILES//;/\\;} # Replace ; with \;
+  fi
+
   echo "files_changed=true" >> "$GITHUB_OUTPUT"
   echo "changed_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"