From 3042c8d89dec4c99b69c6b4fc4a9256dae3a3ca0 Mon Sep 17 00:00:00 2001
From: Rob Cowsill <42620235+rcowsill@users.noreply.github.com>
Date: Sun, 10 Oct 2021 16:05:45 +0100
Subject: [PATCH] Block unexpected workflow commands

Don't process workflow commands when logging potentially untrusted text
---
 index.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/index.js b/index.js
index 5fece19..ac72f08 100644
--- a/index.js
+++ b/index.js
@@ -1,14 +1,25 @@
 const fs = require("fs");
+const crypto = require("crypto");
+
+const resumeToken = crypto.randomBytes(30).toString("base64")
 
 // Output environment variables. Secrets are automatically masked.
 console.log("::group::Environment variables")
+console.log(`::stop-commands::${resumeToken}`)
+
 for (const [key, value] of Object.entries(process.env).sort()) {
   console.log(`${key}=${value}`);
 }
+
+console.log(`::${resumeToken}::`)
 console.log("::endgroup::")
 
 // Output prettified event JSON.
 console.log("::group::Event JSON")
+console.log(`::stop-commands::${resumeToken}`)
+
 const event = JSON.parse(fs.readFileSync(process.env["GITHUB_EVENT_PATH"]));
 console.log(JSON.stringify(event, null, 2));
+
+console.log(`::${resumeToken}::`)
 console.log("::endgroup::")