Skip to content

Commit 323bd27

Browse files
authored
Prevent command injection in Measure Disk Usage (#21874)
* Add format check to branch name * Remove branch name validation
1 parent 20d375c commit 323bd27

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

.github/workflows/measure-disk-usage.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,16 +37,18 @@ jobs:
3737
3838
- name: Define command
3939
id: cmd
40+
env:
41+
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
42+
EVENT_NAME: ${{ github.event.workflow_run.event }}
43+
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
4044
run: |
41-
cmd="ddev -v size status \
42-
--commit ${{ github.event.workflow_run.head_sha }} \
43-
--format json"
45+
cmd="ddev -v size status --commit \"$HEAD_SHA\" --format json"
4446
45-
if [ "${{ github.event.workflow_run.event }}" = "push" ] && [ "${{ github.event.workflow_run.head_branch }}" = "master" ]; then
47+
if [ "$EVENT_NAME" = "push" ] && [ "$HEAD_BRANCH" = "master" ]; then
4648
cmd="$cmd --to-dd-key ${{ secrets.DD_API_KEY }}"
4749
fi
48-
4950
echo "cmd=$cmd" >> $GITHUB_OUTPUT
51+
5052

5153
- name: Measure disk usage (Uncompressed)
5254
env:

0 commit comments

Comments
 (0)