Skip to content

Commit

Permalink
fix(ci): Sanitize PR title (#1677)
Browse files Browse the repository at this point in the history
My scanner picked up this vulnerability added recently. Just making a PR
to fix it instead of going through the whole ASF reporting process
because the workflow permissions are locked down to just PR and issues
write and there are no secrets, so the worst someone could do is be a
nuisance or try cache poisoning (which attackers don't know how to
do...yet).

Ref:

https://securitylab.github.com/research/github-actions-untrusted-input/
  • Loading branch information
AdnaneKhan authored Mar 27, 2024
1 parent 7d5f1f0 commit 6f1a381
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion .github/workflows/dev_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,5 +53,7 @@ jobs:
ref: "${{ github.event.pull_request.merge_commit_sha }}"

- name: Check PR title for conventional commit format
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
python .github/workflows/dev_pr/title_check.py $(pwd)/pr_checkout "${{ github.event.pull_request.title }}"
python .github/workflows/dev_pr/title_check.py $(pwd)/pr_checkout "$PR_TITLE"

0 comments on commit 6f1a381

Please sign in to comment.