Skip to content

Commit

Permalink
🌱 fix script injection (#3695)
Browse files Browse the repository at this point in the history
Thanks to @AdnaneKhan for the report.

* start with reporter patch
* use env variable for bash step too

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
  • Loading branch information
spencerschrock authored Nov 27, 2023
1 parent f8198b0 commit 84bd607
Showing 1 changed file with 6 additions and 11 deletions.
17 changes: 6 additions & 11 deletions .github/workflows/scdiff.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,10 @@ jobs:
https://gitlab.com/baserow/baserow
https://gitlab.com/cryptsetup/cryptsetup
EOF
# use shell syntax to escape, since the checks arg goes to CLI when calling scdiff
- name: escape comment body
id: comment
env:
BODY: ${{ github.event.comment.body }}
run: |
echo "body=$BODY" >> $GITHUB_OUTPUT
- name: configure scdiff
id: config
env:
COMMENT_BODY: ${{ github.event.comment.body }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
Expand All @@ -76,13 +71,13 @@ jobs:
core.setOutput('head', response.data.head.sha)
checks = '""'
const commentBody = '${{ steps.comment.outputs.body }}'
const commentBody = process.env.COMMENT_BODY
const regex = /\/scdiff generate ([^ ]+)/;
const found = commentBody.match(regex);
if (found && found.length == 2) {
checks = found[1]
}
core.setOutput('checks', checks)
core.exportVariable('SCORECARD_CHECKS', checks)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.base }}
Expand All @@ -98,7 +93,7 @@ jobs:
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks ${{ steps.config.outputs.checks }} > $HOME/before.json
--checks $SCORECARD_CHECKS > $HOME/before.json
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.head }}
Expand All @@ -109,7 +104,7 @@ jobs:
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks ${{ steps.config.outputs.checks }} > $HOME/after.json
--checks $SCORECARD_CHECKS > $HOME/after.json
- name: compare results
run: |
go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json

0 comments on commit 84bd607

Please sign in to comment.