Use env variables instead of passing unsafe text to the workflow scri…

…pt (#5023) (#5025) * Use environment variables instead of passing unsafe text to the workflow script. No-Issue Signed-off-by: James Tanner <tanner.jc@gmail.com> (cherry picked from commit 6116e76) Co-authored-by: jctanner <tanner.jc@gmail.com>
ansible · May 8, 2024 · ec887e1 · ec887e1
1 parent 5d34feb
commit ec887e1
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/.github/workflows/automerge.js b/.github/workflows/automerge.js
@@ -1,5 +1,19 @@
 const { exec } = require('node:child_process');
-const [ _node, _automerge, branch, prTitle, actor ] = process.argv;
+const [ _node, _automerge ] = process.argv;
+
+// get these values from env instead of cli args due to RCE issues
+let branch = null;
+let prTitle = null;
+let actor = null;
+if (process.env.HEAD_REF) {
+    branch = process.env.HEAD_REF;
+}
+if (process.env.PR_TITLE) {
+    prTitle = process.env.PR_TITLE;
+}
+if (process.env.GITHUB_ACTOR) {
+    actor = process.env.GITHUB_ACTOR;
+}
 
 console.log({ branch, prTitle, actor });
 

diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -22,8 +22,9 @@ jobs:
       working-directory: ".github/workflows"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        PR_TITLE: "${{ github.event.pull_request.title }}"
       run: |
-        node automerge.js "${{ github.head_ref }}" "${{ github.event.pull_request.title }}" "${{ github.actor }}"
+        node automerge.js
 
     - name: "Automerge the PR"
       env: