From 498d3f316f501aa72485060e8c96fde7b2014f12 Mon Sep 17 00:00:00 2001 From: Jorge <46056498+jorgectf@users.noreply.github.com> Date: Thu, 28 Dec 2023 14:39:29 +0100 Subject: [PATCH] Merge pull request from GHSA-ghm2-rq8q-wrhc * feat: add `safe_output` input enabled by default * fix: migrate README to safe uses of interpolation * fix: also sanitize `)` * fix: remove sanitization of `'` * fix: also sanitize `|` * fix: also sanitize `&` * fix: also sanitize `;` --- README.md | 14 ++++++++++++-- action.yml | 5 +++++ entrypoint.sh | 10 ++++++++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d475d61..1f7f312 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,7 @@ Verify that certain files or directories did or did not change during the workfl uses: tj-actions/verify-changed-files@v16 id: verify-changed-files with: + safe_output: false # true by default, set to false because we are using an environment variable to store the output and avoid command injection. files: | *.txt test_directory @@ -69,8 +70,11 @@ Verify that certain files or directories did or did not change during the workfl - name: Run step only when any of the above files change. if: steps.verify-changed-files.outputs.files_changed == 'true' + env: + FILES_CHANGED: |- + ${{ steps.verify-changed-files.outputs.changed_files }} run: | - echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}" + echo "Changed files: $FILES_CHANGED" # Outputs: "Changed files: new.txt test_directory/new.txt" ``` @@ -82,6 +86,7 @@ Verify that certain files or directories did or did not change during the workfl uses: tj-actions/verify-changed-files@v16 id: verify-changed-files with: + safe_output: false files: | new.txt test_directory @@ -99,10 +104,15 @@ Verify that certain files or directories did or did not change during the workfl - name: Verify Changed files uses: tj-actions/verify-changed-files@v16 id: verify-changed-files + with: + safe_output: false - name: List all changed files tracked and untracked files + env: + FILES_CHANGED: |- + ${{ steps.verify-changed-files.outputs.changed_files }} run: | - echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}" + echo "Changed files: $FILES_CHANGED" ``` If you feel generous and want to show some extra appreciation: diff --git a/action.yml b/action.yml index d4ff418..4e81f99 100644 --- a/action.yml +++ b/action.yml @@ -25,6 +25,10 @@ inputs: description: 'Message to display when files have changed and the `fail-if-changed` input is set to `true`.' default: "Files have changed." required: false + safe_output: + description: "Apply sanitization to output filenames before being set as output." + required: false + default: "true" outputs: files_changed: @@ -61,6 +65,7 @@ runs: INPUT_MATCH_GITIGNORE_FILES: ${{ inputs.match-gitignore-files }} INPUT_FAIL_IF_CHANGED: ${{ inputs.fail-if-changed }} INPUT_FAIL_MSG: ${{ inputs.fail-message }} + INPUT_SAFE_OUTPUT: ${{ inputs.safe_output }} branding: icon: file-text diff --git a/entrypoint.sh b/entrypoint.sh index 937980e..6d15487 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -66,6 +66,16 @@ if [[ -n "$CHANGED_FILES" ]]; then CHANGED_FILES=$(echo "$CHANGED_FILES" | awk '{gsub(/\|/,"\n"); print $0;}' | awk -v d="$INPUT_SEPARATOR" '{s=(NR==1?s:s d)$0}END{print s}') + if [[ "$INPUT_SAFE_OUTPUT" == "true" ]]; then + CHANGED_FILES=${CHANGED_FILES//$/\\$} # Replace $ with \$ + CHANGED_FILES=${CHANGED_FILES//\(/\\\(}} # Replace ( with \( + CHANGED_FILES=${CHANGED_FILES//\)/\\\)}} # Replace ) with \) + CHANGED_FILES=${CHANGED_FILES//\`/\\\`} # Replace ` with \` + CHANGED_FILES=${CHANGED_FILES//|/\\|} # Replace | with \| + CHANGED_FILES=${CHANGED_FILES//&/\\&} # Replace & with \& + CHANGED_FILES=${CHANGED_FILES//;/\\;} # Replace ; with \; + fi + echo "files_changed=true" >> "$GITHUB_OUTPUT" echo "changed_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"