ci: use env input to fix the command injection vulnerability (#2797)

juspay · Nov 6, 2023 · 3199cd6 · 3199cd6
1 parent d47d4ac
commit 3199cd6
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
@@ -41,7 +41,9 @@ jobs:
     steps:
       - name: Store PR title in a file
         shell: bash
-        run: echo '${{ github.event.pull_request.title }}' > pr_title.txt
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
+        run: echo $TITLE > pr_title.txt
 
       - name: Spell check
         uses: crate-ci/typos@master
@@ -66,8 +68,10 @@ jobs:
         id: pr_title_check
         if: ${{ github.event_name == 'pull_request_target' }}
         shell: bash
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         continue-on-error: true
-        run: cog verify '${{ github.event.pull_request.title }}'
+        run: cog verify "$TITLE"
 
       - name: Verify commit message follows conventional commit standards
         id: commit_message_check