Don't use workflow inputs directly in scripts

They could inject commands that way. Instead assign them to an env var and then use that env var in the powershell scripts. We want to open those controls up to more people, so we need to make sure they can only change the values and not extract tokens etc. Fixes #60
2022-08-21 20:37:07 +02:00 · 2022-08-21 20:37:07 +02:00 · 0d4680c01f
commit 0d4680c01f
parent 9374b1d9b4
2 changed files with 8 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -53,8 +53,9 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
+        OPTIONAL_DEPS: ${{ github.event.inputs.optional_deps }}
      run: |
-        python -u autobuild.py write-build-plan --optional-deps '${{ github.event.inputs.optional_deps }}' build_plan.json
+        python -u autobuild.py write-build-plan --optional-deps "$env:OPTIONAL_DEPS" build_plan.json
        buildPlan="$(cat build_plan.json)"
        echo "::set-output name=build-plan::$buildPlan"

@ -71,8 +72,9 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
+        OPTIONAL_DEPS: ${{ github.event.inputs.optional_deps }}
      run: |
-        python -u autobuild.py show --optional-deps '${{ github.event.inputs.optional_deps }}'
+        python -u autobuild.py show --optional-deps "$env:OPTIONAL_DEPS"

  build:
    needs: schedule
--- a/.github/workflows/maint.yml
+++ b/.github/workflows/maint.yml
@ -46,8 +46,9 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
+        CLEAR_FAILED_BUILD_TYPES: ${{ github.event.inputs.clear_failed_build_types }}
      run: |
-        python -u autobuild.py clear-failed --build-types '${{ github.event.inputs.clear_failed_build_types }}'
+        python -u autobuild.py clear-failed --build-types "$env:CLEAR_FAILED_BUILD_TYPES"
        python -u autobuild.py update-status

    - name: Clear failed packages
@ -55,6 +56,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITHUB_TOKEN_READONLY: ${{ secrets.GITHUBTOKENREADONLY }}
+        CLEAR_FAILED_PACKAGES: ${{ github.event.inputs.clear_failed_packages }}
      run: |
-        python -u autobuild.py clear-failed --packages '${{ github.event.inputs.clear_failed_packages }}'
+        python -u autobuild.py clear-failed --packages "$env:CLEAR_FAILED_PACKAGES"
        python -u autobuild.py update-status