Skip to content

Commit

Permalink
fix: Mitigate command injection risk in GitHub Actions workflow
Browse files Browse the repository at this point in the history
- Refactored workflow to use environment variables for dynamic inputs
  (e.g., issue title, body, state) instead of directly embedding them
  in `run` commands.
- Added `env` context to store values like `ISSUE_TITLE`, `ISSUE_BODY`,
  `ISSUE_STATE`, and `REQUIRE_RESULT` for safer command execution.
- Updated `if` conditions and `run` commands to reference environment
  variables, reducing the potential for command injection.
  • Loading branch information
rohanday3 committed Sep 16, 2024
1 parent eeebd3f commit 2c7150d
Showing 1 changed file with 20 additions and 6 deletions.
26 changes: 20 additions & 6 deletions .github/workflows/issue-checker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,26 @@ jobs:
log-conditions:
runs-on: ubuntu-latest
needs: check-permission
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
ISSUE_BODY: ${{ github.event.issue.body }}
ISSUE_STATE: ${{ github.event.issue.state }}
REQUIRE_RESULT: ${{ needs.check-permission.outputs.require-result }}
steps:
- run: echo "needs.check-permission.outputs.require-result = ${{ needs.check-permission.outputs.require-result }}"
- run: echo "github.event.issue.state = ${{ github.event.issue.state }}"
- run: echo "contains(github.event.issue.title, '[Feature Request]') = ${{ contains(github.event.issue.title, '[Feature Request]') }}"
- run: echo "contains(github.event.issue.body, 'https://github.com') = ${{ contains(github.event.issue.body, 'https://github.com') }}"
- run: echo "require-result = $REQUIRE_RESULT"
- run: echo "issue state = $ISSUE_STATE"
- run: echo "contains '[Feature Request]' in title: ${{ contains(env.ISSUE_TITLE, '[Feature Request]') }}"
- run: echo "contains 'https://github.com' in body: ${{ contains(env.ISSUE_BODY, 'https://github.com') }}"

check-open:
runs-on: ubuntu-latest
needs: check-permission
if: needs.check-permission.outputs.require-result == 'false' && github.event.issue.state == 'open' && contains(github.event.issue.title, '[Feature Request]') == false && contains(github.event.issue.body, 'https://github.com') == false && contains(github.event.issue.body, 'https://stackblitz.com') == false && contains(github.event.issue.body, 'https://codesandbox.io') == false
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
ISSUE_BODY: ${{ github.event.issue.body }}
ISSUE_STATE: ${{ github.event.issue.state }}
REQUIRE_RESULT: ${{ needs.check-permission.outputs.require-result }}
if: env.REQUIRE_RESULT == 'false' && env.ISSUE_STATE == 'open' && contains(env.ISSUE_TITLE, '[Feature Request]') == false && contains(env.ISSUE_BODY, 'https://github.com') == false && contains(env.ISSUE_BODY, 'https://stackblitz.com') == false && contains(env.ISSUE_BODY, 'https://codesandbox.io') == false
steps:
- uses: actions-cool/maintain-one-comment@v3
with:
Expand All @@ -39,7 +49,11 @@ jobs:
check-close:
runs-on: ubuntu-latest
needs: check-permission
if: needs.check-permission.outputs.require-result == 'false' && github.event.issue.state == 'closed' && (contains(github.event.issue.body, 'https://github.com') == true || contains(github.event.issue.body, 'https://stackblitz.com') == true || contains(github.event.issue.body, 'https://codesandbox.io') == true)
env:
ISSUE_BODY: ${{ github.event.issue.body }}
ISSUE_STATE: ${{ github.event.issue.state }}
REQUIRE_RESULT: ${{ needs.check-permission.outputs.require-result }}
if: env.REQUIRE_RESULT == 'false' && env.ISSUE_STATE == 'closed' && (contains(env.ISSUE_BODY, 'https://github.com') == true || contains(env.ISSUE_BODY, 'https://stackblitz.com') == true || contains(env.ISSUE_BODY, 'https://codesandbox.io') == true)
steps:
- uses: actions-cool/issues-helper@v3
with:
Expand Down

0 comments on commit 2c7150d

Please # to comment.