fix: avoid command injection and pass arguments securely (#98)

Co-authored-by: Miroslav Jonaš <[email protected]>
nrwl · Sep 6, 2023 · 08a0b0a · 08a0b0a
1 parent 8571a20
commit 08a0b0a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/action.yml b/action.yml
@@ -37,7 +37,14 @@ runs:
     - name: Set base and head SHAs used for nx affected
       id: setSHAs
       shell: bash
-      run: node $GITHUB_ACTION_PATH/dist/index.js ${{ github.token }} ${{ inputs.main-branch-name }} ${{ inputs.error-on-no-successful-workflow }} ${{ inputs.last-successful-event }} ${{ inputs.working-directory }} ${{ inputs.workflow-id }}
+      env:
+        gh_token: ${{ github.token }}
+        main_branch_name: ${{ inputs.main-branch-name }}
+        error_on_no_successful_workflow: ${{ inputs.error-on-no-successful-workflow }}
+        last_successful_event: ${{ inputs.last-successful-event }}
+        working_directory: ${{ inputs.working-directory }}
+        working_id: ${{ inputs.workflow-id }}
+      run: node "$GITHUB_ACTION_PATH/dist/index.js" "$gh_token" "$main_branch_name" "$error_on_no_successful_workflow" "$last_successful_event" "$working_directory" "$working_id"
 
     - name: Log base and head SHAs used for nx affected
       shell: bash

diff --git a/find-successful-workflow.js b/find-successful-workflow.js
@@ -1,7 +1,7 @@
 const { Octokit } = require("@octokit/action");
 const core = require("@actions/core");
 const github = require('@actions/github');
-const { execSync } = require('child_process');
+const { spawnSync } = require('child_process');
 const { existsSync } = require('fs');
 
 const { runId, repo: { repo, owner }, eventName } = github.context;
@@ -24,10 +24,13 @@ let BASE_SHA;
     }
   }
 
-  const HEAD_SHA = execSync(`git rev-parse HEAD`, { encoding: 'utf-8' });
+  const headResult = spawnSync('git', ['rev-parse', 'HEAD'], { encoding: 'utf-8' });
+  const HEAD_SHA = headResult.stdout;
+
 
   if (['pull_request','pull_request_target'].includes(eventName)) {
-    BASE_SHA = execSync(`git merge-base origin/${mainBranchName} HEAD`, { encoding: 'utf-8' });
+    const baseResult = spawnSync('git', ['merge-base', `origin/${mainBranchName}`, 'HEAD'], { encoding: 'utf-8' });
+    BASE_SHA = baseResult.stdout;
   } else {
     try {
       BASE_SHA = await findSuccessfulCommit(workflowId, runId, owner, repo, mainBranchName, lastSuccessfulEvent);
@@ -47,7 +50,9 @@ let BASE_SHA;
         process.stdout.write('\n');
         process.stdout.write(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);
 
-        BASE_SHA = execSync(`git rev-parse origin/${mainBranchName}~1`, { encoding: 'utf-8' });
+        const baseRes = spawnSync('git', ['rev-parse', `origin/${mainBranchName}~1`], { encoding: 'utf-8' });
+        BASE_SHA = baseRes.stdout;
+
         core.setOutput('noPreviousBuild', 'true');
       }
     } else {
@@ -128,7 +133,7 @@ async function findExistingCommit(shas) {
  */
 async function commitExists(commitSha) {
   try {
-    execSync(`git cat-file -e ${commitSha}`, { stdio: ['pipe', 'pipe', null] });
+    spawnSync('git', ['cat-file', '-e', commitSha], { stdio: ['pipe', 'pipe', null] });
     return true;
   } catch {
     return false;