From 4da0d94b96e662b8dffe281d0a2de812f11cda71 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Sun, 10 May 2020 20:40:15 +0000
Subject: [PATCH] Filter potentially dangerous input in GitHub Actions workflows

---
 .github/workflows/test.yml    |   12 ++++--------
 .github/workflows/release.yml |   12 ++++--------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6bc7a3..6a6c638 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,17 +23,13 @@
         name: Get project variables
         run: |
           echo -n "::set-output name=keycloakVersion::"
-          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
           echo -n "::set-output name=artifactId::"
-          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
           echo -n "::set-output name=projectName::"
-          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$'
           echo -n "::set-output name=projectVersion::"
-          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
 
       - name: Build project
         run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index eddd6e7..c4d543b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,17 +21,13 @@
         name: Get project variables
         run: |
           echo -n "::set-output name=keycloakVersion::"
-          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
           echo -n "::set-output name=artifactId::"
-          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
           echo -n "::set-output name=projectName::"
-          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$'
           echo -n "::set-output name=projectVersion::"
-          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null
-          echo
+          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
 
       - name: Build project
         run: |

--
Gitblit v1.9.1