Avoiding input injection issues #17
Labels
documentation
Improvements or additions to documentation
Comments
|
Yep, good points. Thanks for sharing |
|
What would be a better alternative? I didn't understand it, sorry |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ci-cd-intro/.github/workflows/staging.yml
Line 40 in 37cbd0c
It's nice that you keep reminding people about the dangers of things like a random
curl somwhere | sh, and there is a similar problem on this line: the use of${{...}}means that whatever you type as the input is replacing that directly. For example, I can use an input like(console.log(whatever), 123), and it'll blindly run it. Yes, it's minor, since I'd need to be a collaborator to run your actions, but you might assume that as long as you review all of my PRs I cannot read your secrets. Instead, you could just usecontext.payload.inputsin the code (without${{...}}s) and be calm knowing that no such trickery can happen...(Same as the other thing, I guess that editing is impractical, but just wanted to say it since I half-expected you to at least say something about it.)
The text was updated successfully, but these errors were encountered: