From 4da0d94b96e662b8dffe281d0a2de812f11cda71 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Sun, 10 May 2020 20:40:15 +0000 Subject: [PATCH] Filter potentially dangerous input in GitHub Actions workflows --- .github/workflows/test.yml | 12 ++++-------- .github/workflows/release.yml | 12 ++++-------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6bc7a3..6a6c638 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,17 +23,13 @@ name: Get project variables run: | echo -n "::set-output name=keycloakVersion::" - mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' echo -n "::set-output name=artifactId::" - mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' echo -n "::set-output name=projectName::" - mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$' echo -n "::set-output name=projectVersion::" - mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' - name: Build project run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eddd6e7..c4d543b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,17 +21,13 @@ name: Get project variables run: | echo -n "::set-output name=keycloakVersion::" - mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' echo -n "::set-output name=artifactId::" - mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' echo -n "::set-output name=projectName::" - mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$' echo -n "::set-output name=projectVersion::" - mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null - echo + mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' - name: Build project run: | -- Gitblit v1.9.1