Prevent command injection in Measure Disk Usage (#21874)

lucia-sb · web-flow · commit 323bd276df93 · 2025-11-13T18:19:40.000Z
* Add format check to branch name

* Remove branch name validation
diff --git a/.github/workflows/measure-disk-usage.yml b/.github/workflows/measure-disk-usage.yml
@@ -37,16 +37,18 @@ jobs:
 
     - name: Define command
       id: cmd
+      env:
+        HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        EVENT_NAME: ${{ github.event.workflow_run.event }}
+        HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
       run: |
-        cmd="ddev -v size status \
-        --commit ${{ github.event.workflow_run.head_sha }} \
-        --format json"
+        cmd="ddev -v size status --commit \"$HEAD_SHA\" --format json"
 
-        if [ "${{ github.event.workflow_run.event }}" = "push" ] && [ "${{ github.event.workflow_run.head_branch }}" = "master" ]; then 
+        if [ "$EVENT_NAME" = "push" ] && [ "$HEAD_BRANCH" = "master" ]; then 
           cmd="$cmd --to-dd-key ${{ secrets.DD_API_KEY }}"
         fi
-
         echo "cmd=$cmd" >> $GITHUB_OUTPUT
+    
 
     - name: Measure disk usage (Uncompressed)
       env:
