Commit ed884a5

authored

Prevent command injection when creating release notes (#866)

If a merged PR title contains invalid strings, it could allow for shell injection. It's best to address known problems promptly.

1 parent be83749 commit ed884a5Copy full SHA for ed884a5

File tree

-5

lines changed

-5

lines changed

Lines changed: 2 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,8 @@ jobs:`
`106`	`106`	.concat(`\n\n${footer}`);
`107`	`107`
`108`	`108`	console.log(`releaseNotes (modified): ${JSON.stringify(modifiedBody, null, 2)}`);
`109`		`- core.setOutput("release_body", modifiedBody);`
	`109`	`+ const fs = require('fs');`
	`110`	`+ fs.writeFileSync('release-notes.txt', modifiedBody, { encoding: 'utf8' });`
`110`	`111`
`111`	`112`	`- name: Prepare Release Title`
`112`	`113`	`id: title`
`@@ -118,10 +119,6 @@ jobs:`
`118`	`119`	`SANITIZED_TITLE="$(printf '%s' "$RAW_TITLE" \| sed 's/"/\\"/g')"`
`119`	`120`	`echo "sanitized_title=$SANITIZED_TITLE" >> "$GITHUB_OUTPUT"`
`120`	`121`
`121`		`- - name: Write Release Notes to File`
`122`		`- run: \|`
`123`		`- echo "${{ steps.generate-release-notes.outputs.release_body }}" > release-notes.txt`
`124`		`-`
`125`	`122`	`- name: Create Draft Release`
`126`	`123`	`run: \|`
`127`	`124`	`gh release create "${{ steps.calculate-version.outputs.new_version }}" \`

Comments

(0)