fix(pipeline): validate expected commit before passing to git-checkou…

…t pipeline (#1667) * fix(pipeline): validate expected commit before passing to git-checkout pipeline Signed-off-by: Luca Di Maio <[email protected]> * fix linting Signed-off-by: Luca Di Maio <[email protected]> --------- Signed-off-by: Luca Di Maio <[email protected]>
chainguard-dev · Nov 23, 2024 · 2fff904 · 2fff904
1 parent b47ef6c
commit 2fff904
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/build/pipeline.go b/pkg/build/pipeline.go
@@ -159,6 +159,14 @@ func validateWith(data map[string]string, inputs map[string]config.Input) (map[s
 				return data, fmt.Errorf("checksum input %q for pipeline, invalid length", k)
 			}
 		}
+		if k == "expected-commit" && data[k] != "" {
+			if !matchValidShaChars(data[k]) {
+				return data, fmt.Errorf("expectec commit %q for pipeline contains invalid characters", k)
+			}
+			if len(data[k]) != 40 {
+				return data, fmt.Errorf("expected commit %q for pipeline, invalid length", k)
+			}
+		}
 
 		if v.Required && data[k] == "" {
 			return data, fmt.Errorf("required input %q for pipeline is missing", k)