From ebc238736da540a9e681e0ad33746898df12a6a4 Mon Sep 17 00:00:00 2001
From: Lucas Meurer <lucasmeurer96@gmail.com>
Date: Wed, 11 Dec 2024 15:56:58 +0100
Subject: [PATCH] Fix pr preview vulnerability

---
 .github/workflows/preview_build.yml   | 6 ++++--
 .github/workflows/preview_cleanup.yml | 9 +++++++--
 .github/workflows/preview_deploy.yml  | 6 +-----
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/preview_build.yml b/.github/workflows/preview_build.yml
index 70cd5ce2aae..c44c10f0c83 100644
--- a/.github/workflows/preview_build.yml
+++ b/.github/workflows/preview_build.yml
@@ -42,9 +42,11 @@ jobs:
       - name: Generate meta.json
         env:
           PR_NUMBER: ${{ github.event.number }}
-          PR_BRANCH: ${{ github.head_ref }}
+          URL_SLUG: ${{ github.event.number }}-${{ github.head_ref }}
         run: |
-          echo "{\"pr_number\": \"$PR_NUMBER\", \"pr_branch\": \"$PR_BRANCH\"}" > meta.json
+          # Sanitize the URL_SLUG to only contain alphanumeric characters and dashes
+          URL_SLUG=$(echo $URL_SLUG | tr -cd '[:alnum:]-')
+          echo "{\"pr_number\": \"$PR_NUMBER\", \"url_slug\": \"$URL_SLUG\"}" > meta.json
 
       - uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/preview_cleanup.yml b/.github/workflows/preview_cleanup.yml
index 3aba668a2b3..6e2b94b83aa 100644
--- a/.github/workflows/preview_cleanup.yml
+++ b/.github/workflows/preview_cleanup.yml
@@ -15,9 +15,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - run: mkdir -p empty_dir
-      - name: Url slug variable
+      - name: Generate URL_SLUG
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          URL_SLUG: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.ref }}
         run: |
-          echo "URL_SLUG=${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+          # Sanitize the URL_SLUG to only contain alphanumeric characters and dashes
+          URL_SLUG=$(echo $URL_SLUG | tr -cd '[:alnum:]-')
+          echo "URL_SLUG=$URL_SLUG" >> $GITHUB_ENV
       - name: Deploy
         uses: JamesIves/github-pages-deploy-action@v4
         with:
diff --git a/.github/workflows/preview_deploy.yml b/.github/workflows/preview_deploy.yml
index 9fdcfaf755f..f98f96da162 100644
--- a/.github/workflows/preview_deploy.yml
+++ b/.github/workflows/preview_deploy.yml
@@ -40,11 +40,7 @@ jobs:
       - name: Parse meta.json
         run: |
           echo "PR_NUMBER=$(jq -r .pr_number meta.json)" >> $GITHUB_ENV
-          echo "PR_BRANCH=$(jq -r .pr_branch meta.json)" >> $GITHUB_ENV
-
-      - name: Url slug variable
-        run: |
-          echo "URL_SLUG=${{ env.PR_NUMBER }}-${{ env.PR_BRANCH }}" >> $GITHUB_ENV
+          echo "URL_SLUG=$(jq -r .url_slug meta.json)" >> $GITHUB_ENV
 
       - name: Deploy
         uses: JamesIves/github-pages-deploy-action@v4