Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci(pr-title): Escape variables used in bash scripts #992

Merged
merged 1 commit into from
May 2, 2024
Merged

ci(pr-title): Escape variables used in bash scripts #992

merged 1 commit into from
May 2, 2024

Conversation

aborgna-q
Copy link
Collaborator

@aborgna-q aborgna-q commented May 2, 2024
edited
Loading

Don't insert github expressions directly in the bash script.

  • It breaks if there are [backticks] or [quotes] inside the variable.
  • It's a security issue, it allows arbitrary code injections from the PR description.

The solution is to put them into env variables first.

@aborgna-q aborgna-q requested a review from cqc-alec May 2, 2024 11:49
@aborgna-q aborgna-q enabled auto-merge May 2, 2024 11:53
@aborgna-q aborgna-q added this pull request to the merge queue May 2, 2024
Merged via the queue into main with commit 4b9d3da May 2, 2024
15 checks passed
@aborgna-q aborgna-q deleted the ab/ci/escape-bash-vars branch May 2, 2024 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cqc-alec cqc-alec cqc-alec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aborgna-q @cqc-alec