actions/branch-names
1
0
Fork 0
mirror of https://github.com/tj-actions/branch-names.git synced 2024-11-23 20:23:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: prevent arbitrary code injection via untrusted inputs

Browse Source
This commit is contained in:
Tonye Jack 2023-12-02 22:39:12 -07:00 committed by GitHub
parent c73f478233
commit 73b5e05c85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
action.yml
View File

@ -37,12 +37,18 @@ runs:
using: "composite" using: "composite"
steps: steps:
- id: branch - id: branch
env:
GITHUB_REF: ${{ github.ref }}
GITHUB_BASE_REF: ${{ github.event.pull_request.base.ref || github.base_ref }}
GITHUB_HEAD_REF: ${{ github.event.pull_request.head.ref || github.head_ref }}
GITHUB_EVENT_BASE_REF: ${{ github.event.base_ref }}
INPUTS_STRIP_TAG_PREFIX: ${{ inputs.strip_tag_prefix }}
run: | run: |
# "Set branch names..." # "Set branch names..."
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}") BASE_REF=$(printf "%q" "$GITHUB_BASE_REF")
HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}") HEAD_REF=$(printf "%q" "$GITHUB_HEAD_REF")
REF=$(printf "%q" "${{ github.ref }}") REF=$(printf "%q" "$GITHUB_REF")
BASE_REF=${BASE_REF/refs\/heads\//} BASE_REF=${BASE_REF/refs\/heads\//}
HEAD_REF=${HEAD_REF/refs\/heads\//} HEAD_REF=${HEAD_REF/refs\/heads\//}
@ -53,42 +59,54 @@ runs:
echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT" echo "head_ref_branch=$(eval printf "%s" "$HEAD_REF")" >> "$GITHUB_OUTPUT"
echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT" echo "ref_branch=$(eval printf "%s" "$REF_BRANCH")" >> "$GITHUB_OUTPUT"
else else
BASE_REF=$(printf "%q" "${{ github.event.base_ref }}") BASE_REF=$(printf "%q" "$GITHUB_EVENT_BASE_REF")
BASE_REF=${BASE_REF/refs\/heads\/${{ inputs.strip_tag_prefix }}/} BASE_REF=${BASE_REF/refs\/heads\/$INPUTS_STRIP_TAG_PREFIX/}
echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT" echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT"
fi fi
shell: bash shell: bash
- id: current_branch - id: current_branch
env:
GITHUB_REF: ${{ github.ref }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
HEAD_REF_BRANCH: ${{ steps.branch.outputs.head_ref_branch }}
REF_BRANCH: ${{ steps.branch.outputs.ref_branch }}
run: | run: |
# "Set the current branch name..." # "Set the current branch name..."
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
if [[ ${{ github.event_name }} == *"pull_request"* ]]; then if [[ "$GITHUB_EVENT_NAME" == *"pull_request"* ]]; then
echo "current_branch=${{ steps.branch.outputs.head_ref_branch }}" >> "$GITHUB_OUTPUT" echo "current_branch=$HEAD_REF_BRANCH" >> "$GITHUB_OUTPUT"
else else
echo "current_branch=${{ steps.branch.outputs.ref_branch }}" >> "$GITHUB_OUTPUT" echo "current_branch=$REF_BRANCH" >> "$GITHUB_OUTPUT"
fi fi
fi fi
shell: bash shell: bash - id: default
- id: default env:
GITHUB_REF: ${{ github.ref }}
CURRENT_BRANCH: ${{ steps.current_branch.outputs.current_branch }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
FORK: ${{ github.event.pull_request.head.repo.fork }}
run: | run: |
# "Set the default branch name..." # "Set the default branch name..."
if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then if [[ "$GITHUB_REF" != "refs/tags/"* ]]; then
if [[ "${{ steps.current_branch.outputs.current_branch }}" == "${{ github.event.repository.default_branch }}" && "${{ github.event.pull_request.head.repo.fork }}" != "true" ]]; then if [[ "$CURRENT_BRANCH" == "$DEFAULT_BRANCH" && "$FORK" != "true" ]]; then
echo "is_default=true" >> "$GITHUB_OUTPUT" echo "is_default=true" >> "$GITHUB_OUTPUT"
echo "default_branch=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT" echo "default_branch=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
else else
echo "is_default=false" >> "$GITHUB_OUTPUT" echo "is_default=false" >> "$GITHUB_OUTPUT"
echo "default_branch=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT" echo "default_branch=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
fi fi
fi fi
shell: bash shell: bash
- id: tag - id: tag
env:
GITHUB_REF: ${{ github.ref }}
INPUTS_STRIP_TAG_PREFIX: ${{ inputs.strip_tag_prefix }}
run: | run: |
# "Set the tag name..." # "Set the tag name..."
if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then if [[ "$GITHUB_REF" == "refs/tags/"* ]]; then
REF=$(printf "%q" "${{ github.ref }}") REF=$(printf "%q" "$GITHUB_REF")
TAG=${REF/refs\/tags\/${{ inputs.strip_tag_prefix }}/} TAG=${REF/refs\/tags\/$INPUTS_STRIP_TAG_PREFIX/}
echo "tag=$(eval printf "%s" "$TAG")" >> "$GITHUB_OUTPUT" echo "tag=$(eval printf "%s" "$TAG")" >> "$GITHUB_OUTPUT"
echo "is_tag=true" >> "$GITHUB_OUTPUT" echo "is_tag=true" >> "$GITHUB_OUTPUT"