Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoiding input injection issues #17

Open
elibarzilay opened this issue Sep 25, 2022 · 2 comments
Open

Avoiding input injection issues #17

elibarzilay opened this issue Sep 25, 2022 · 2 comments
Labels
documentation Improvements or additions to documentation

Comments

@elibarzilay
Copy link

pull_number: ${{ github.event.inputs.PR_number }}

It's nice that you keep reminding people about the dangers of things like a random curl somwhere | sh, and there is a similar problem on this line: the use of ${{...}} means that whatever you type as the input is replacing that directly. For example, I can use an input like (console.log(whatever), 123), and it'll blindly run it. Yes, it's minor, since I'd need to be a collaborator to run your actions, but you might assume that as long as you review all of my PRs I cannot read your secrets. Instead, you could just use context.payload.inputs in the code (without ${{...}}s) and be calm knowing that no such trickery can happen...

(Same as the other thing, I guess that editing is impractical, but just wanted to say it since I half-expected you to at least say something about it.)

@Link-
Copy link
Owner

Link- commented Nov 3, 2022

Yep, good points. Thanks for sharing

@Link- Link- added the documentation Improvements or additions to documentation label Nov 3, 2022
@Link- Link- changed the title Better to avoid this Avoiding input injection issues Nov 3, 2022
@xsamueljr
Copy link

What would be a better alternative? I didn't understand it, sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

3 participants