Skip to content

Commit

Permalink
fix: github workflow vulnerable to script injection
Browse files Browse the repository at this point in the history
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
  • Loading branch information
diogoteles08 authored and has2k1 committed Nov 28, 2024
1 parent 2cacc7a commit 477661f
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion .github/workflows/documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
workflow_dispatch:
workflow_call:

env:
HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}

jobs:
parse_commit_info:
runs-on: ubuntu-latest
Expand All @@ -30,7 +33,7 @@ jobs:
# The message string is directly substituted in before the command is run.
# We use a HereDoc to avoid quotation issues if the message has quotes as well.
TITLE=$(cat <<EOF | head -n 1
${{ github.event.head_commit.message }}
$HEAD_COMMIT_MESSAGE
EOF
)
Expand Down

0 comments on commit 477661f

Please sign in to comment.