From 214bed27ee3eb5fd484ee0693c55ab89f27a098b Mon Sep 17 00:00:00 2001 From: Athanasius Date: Mon, 9 Dec 2024 21:43:47 +0000 Subject: [PATCH] .github: workflows: Guard any shell $VAR with "..." This is with regards to what happened to another project, ref: Basically, do NOT trust that things like branch names don't contain any attempt at executing shell code if referenced in a workflow segment that runs a shell command. --- .github/workflows/pr-checks.yml | 6 +++--- .github/workflows/push-checks.yml | 2 +- .github/workflows/submodule-update.yml | 2 +- .github/workflows/windows-build.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 843592a3..5c9872f1 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -19,7 +19,7 @@ jobs: # Debug show the info we have to work with - name: Show github context - run: cat $GITHUB_EVENT_PATH + run: cat "$GITHUB_EVENT_PATH" #################################################################### # Checkout the necessary commits @@ -44,9 +44,9 @@ jobs: echo "BASE_REPO_URL: ${BASE_REPO_URL}" echo "BASE_REPO_OWNER: ${BASE_REPO_OWNER}" # Add the 'base' repo as a new remote - git remote add ${BASE_REPO_OWNER} ${BASE_REPO_URL} + git remote add "${BASE_REPO_OWNER}" "${BASE_REPO_URL}" # And then fetch its references - git fetch ${BASE_REPO_OWNER} + git fetch "${BASE_REPO_OWNER}" #################################################################### #################################################################### diff --git a/.github/workflows/push-checks.yml b/.github/workflows/push-checks.yml index e238ad8f..7c762dcc 100644 --- a/.github/workflows/push-checks.yml +++ b/.github/workflows/push-checks.yml @@ -43,7 +43,7 @@ jobs: env: ROOT_SHA: ${{github.base_ref}} run: | - DATA=$(jq --raw-output .before $GITHUB_EVENT_PATH) + DATA=$(jq --raw-output .before "$GITHUB_EVENT_PATH") echo "DATA: ${DATA}" ####################################################################### diff --git a/.github/workflows/submodule-update.yml b/.github/workflows/submodule-update.yml index f794bdeb..74213c29 100644 --- a/.github/workflows/submodule-update.yml +++ b/.github/workflows/submodule-update.yml @@ -54,7 +54,7 @@ jobs: - name: Create submodules changes branch if: steps.check_for_changes.outputs.changes == 'true' run: | - git checkout -b "submodule-change/$GITHUB_RUN_ID" $CHECKOUT_BRANCH + git checkout -b "submodule-change/$GITHUB_RUN_ID" "$CHECKOUT_BRANCH" git commit -am "updating submodules" git push --set-upstream origin "submodule-change/$GITHUB_RUN_ID" diff --git a/.github/workflows/windows-build.yml b/.github/workflows/windows-build.yml index 9ed4e5ca..cecf941a 100644 --- a/.github/workflows/windows-build.yml +++ b/.github/workflows/windows-build.yml @@ -39,7 +39,7 @@ jobs: # For 'tar' we can only specify filename/glob exclusions, not any # directory location tar -c -v -z \ - -f ../EDMarketConnector-release-${{ needs.variables.outputs.sem_ver }}.tar.gz \ + -f "../EDMarketConnector-release-${{ needs.variables.outputs.sem_ver }}.tar.gz" \ -C .. \ --exclude=EDMarketConnector-release-*.* \ --exclude=.editorconfig \ @@ -59,7 +59,7 @@ jobs: --exclude=scripts \ --exclude=tests \ EDMarketConnector - mv ../EDMarketConnector-release-${{ needs.variables.outputs.sem_ver }}.tar.gz . + mv "../EDMarketConnector-release-${{ needs.variables.outputs.sem_ver }}.tar.gz" . - name: Upload build files uses: actions/upload-artifact@v4