From ffb8558b7e5df4644299e5ec7009ade6ca1a721c Mon Sep 17 00:00:00 2001
From: Kasper Peulen <kasperpeulen@gmail.com>
Date: Mon, 28 Nov 2022 10:38:37 +0100
Subject: [PATCH] Sanitize user input in github workflow

---
 .../workflows/trigger-circle-ci-workflow.yml    | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/trigger-circle-ci-workflow.yml b/.github/workflows/trigger-circle-ci-workflow.yml
index c75755a74bcd..4869a9d4fea6 100644
--- a/.github/workflows/trigger-circle-ci-workflow.yml
+++ b/.github/workflows/trigger-circle-ci-workflow.yml
@@ -17,13 +17,14 @@ jobs:
         env:
           # Stored as environment variable to prevent script injection
           REF_NAME: ${{ github.ref_name }}
+          PR_REF_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
           if  [ "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then
             export BRANCH=pull/${{ github.event.pull_request.number }}/head
             elif [ "${{ github.event_name }}" = "push" ]; then
             export BRANCH="$REF_NAME"
             else
-            export BRANCH=${{ github.event.pull_request.head.ref }}
+            export BRANCH="$PR_REF_NAME"
           fi
           echo "$BRANCH"
           echo "branch=$BRANCH" >> $GITHUB_ENV
@@ -41,13 +42,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "ci"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-pr-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -59,13 +61,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "pr"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-merged-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -77,13 +80,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "merged"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-daily-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -95,10 +99,11 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "daily"
                   }
                 }'
         env:
-          CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
\ No newline at end of file
+          CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
\ No newline at end of file