Skip to content

Commit 4923d1c

Browse files
repo-ranger[bot]repo-ranger[bot]
authored
Merge pull request #271 from tj-actions/security/prevent-arbitrary-code-injection-via-untrusted-inputs
security: prevent arbitrary code injection via untrusted inputs
2 parents c73f478 + d1dce85 commit 4923d1c

File tree

1 file changed

+36
-17
lines changed

1 file changed

+36
-17
lines changed

action.yml

+36-17
Original file line numberDiff line numberDiff line change
@@ -37,12 +37,18 @@ runs:
3737
using: "composite"
3838
steps:
3939
- id: branch
40+
env:
41+
GITHUB_REF: ${{ github.ref }}
42+
GITHUB_BASE_REF: ${{ github.event.pull_request.base.ref || github.base_ref }}
43+
GITHUB_HEAD_REF: ${{ github.event.pull_request.head.ref || github.head_ref }}
44+
GITHUB_EVENT_BASE_REF: ${{ github.event.base_ref }}
45+
INPUTS_STRIP_TAG_PREFIX: ${{ inputs.strip_tag_prefix }}
4046
run: |
4147
# "Set branch names..."
42-
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
43-
BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}")
44-
HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}")
45-
REF=$(printf "%q" "${{ github.ref }}")
48+
if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
49+
BASE_REF=$(printf "%q" "$GITHUB_BASE_REF")
50+
HEAD_REF=$(printf "%q" "$GITHUB_HEAD_REF")
51+
REF=$(printf "%q" "$GITHUB_REF")
4652
4753
BASE_REF=${BASE_REF/refs\/heads\//}
4854
HEAD_REF=${HEAD_REF/refs\/heads\//}
@@ -53,42 +59,55 @@ runs:
5359
echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT"
5460
echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT"
5561
else
56-
BASE_REF=$(printf "%q" "${{ github.event.base_ref }}")
57-
BASE_REF=${BASE_REF/refs\/heads\/${{ inputs.strip_tag_prefix }}/}
62+
BASE_REF=$(printf "%q" "$GITHUB_EVENT_BASE_REF")
63+
BASE_REF=${BASE_REF/refs\/heads\/$INPUTS_STRIP_TAG_PREFIX/}
5864
5965
echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT"
6066
fi
6167
shell: bash
6268
- id: current_branch
69+
env:
70+
GITHUB_REF: ${{ github.ref }}
71+
GITHUB_EVENT_NAME: ${{ github.event_name }}
72+
HEAD_REF_BRANCH: ${{ steps.branch.outputs.head_ref_branch }}
73+
REF_BRANCH: ${{ steps.branch.outputs.ref_branch }}
6374
run: |
6475
# "Set the current branch name..."
65-
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
66-
if [[ ${{ github.event_name }} == *"pull_request"* ]]; then
67-
echo "current_branch=${{ steps.branch.outputs.head_ref_branch }}" >> "$GITHUB_OUTPUT"
76+
if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
77+
if [[ "$GITHUB_EVENT_NAME" == *"pull_request"* ]]; then
78+
echo "current_branch=$HEAD_REF_BRANCH" >> "$GITHUB_OUTPUT"
6879
else
69-
echo "current_branch=${{ steps.branch.outputs.ref_branch }}" >> "$GITHUB_OUTPUT"
80+
echo "current_branch=$REF_BRANCH" >> "$GITHUB_OUTPUT"
7081
fi
7182
fi
7283
shell: bash
7384
- id: default
85+
env:
86+
GITHUB_REF: ${{ github.ref }}
87+
CURRENT_BRANCH: ${{ steps.current_branch.outputs.current_branch }}
88+
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
89+
FORK: ${{ github.event.pull_request.head.repo.fork }}
7490
run: |
7591
# "Set the default branch name..."
76-
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
77-
if [[ "${{ steps.current_branch.outputs.current_branch }}" == "${{ github.event.repository.default_branch }}" && "${{ github.event.pull_request.head.repo.fork }}" != "true" ]]; then
92+
if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
93+
if [[ "$CURRENT_BRANCH" == "$DEFAULT_BRANCH" && "$FORK" != "true" ]]; then
7894
echo "is_default=true" >> "$GITHUB_OUTPUT"
79-
echo "default_branch=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
95+
echo "default_branch=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
8096
else
8197
echo "is_default=false" >> "$GITHUB_OUTPUT"
82-
echo "default_branch=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
98+
echo "default_branch=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
8399
fi
84100
fi
85101
shell: bash
86102
- id: tag
103+
env:
104+
GITHUB_REF: ${{ github.ref }}
105+
INPUTS_STRIP_TAG_PREFIX: ${{ inputs.strip_tag_prefix }}
87106
run: |
88107
# "Set the tag name..."
89-
if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
90-
REF=$(printf "%q" "${{ github.ref }}")
91-
TAG=${REF/refs\/tags\/${{ inputs.strip_tag_prefix }}/}
108+
if [[ "$GITHUB_REF" == "refs/tags/"* ]]; then
109+
REF=$(printf "%q" "$GITHUB_REF")
110+
TAG="${REF/refs\/tags\/$INPUTS_STRIP_TAG_PREFIX/}"
92111
93112
echo "tag=$(eval printf "%s" "$TAG")" >> "$GITHUB_OUTPUT"
94113
echo "is_tag=true" >> "$GITHUB_OUTPUT"

0 commit comments

Comments
 (0)