diff --git a/.github/workflows/feature-deployment.yml b/.github/workflows/feature-deployment.yml index c0740c517b4..f7ade5e169d 100644 --- a/.github/workflows/feature-deployment.yml +++ b/.github/workflows/feature-deployment.yml @@ -29,21 +29,31 @@ jobs: steps: - id: set_env_variables name: Set Environment Variables + env: + # Bind user-controlled workflow inputs and branch refs to env vars so + # they are never string-interpolated into the shell script by GitHub + # Actions (prevents expression-injection / shell-injection). + INPUT_BASE_TAG_NAME: ${{ github.event.inputs.base_tag_name }} + GH_TARGET_BRANCH: ${{ env.TARGET_BRANCH }} run: | + # Strip CR/LF from user-supplied input to prevent $GITHUB_OUTPUT + # injection: a newline in the value would forge extra output keys. + SAFE_BASE_TAG=$(printf '%s' "$INPUT_BASE_TAG_NAME" | tr -d '\r\n') + echo "BUILDX_DRIVER=docker-container" >> $GITHUB_OUTPUT echo "BUILDX_VERSION=latest" >> $GITHUB_OUTPUT echo "BUILDX_PLATFORMS=linux/amd64" >> $GITHUB_OUTPUT echo "BUILDX_ENDPOINT=" >> $GITHUB_OUTPUT - if [ "${{ github.event.inputs.base_tag_name }}" != "" ]; then - echo "AIO_BASE_TAG=${{ github.event.inputs.base_tag_name }}" >> $GITHUB_OUTPUT + if [ "$SAFE_BASE_TAG" != "" ]; then + echo "AIO_BASE_TAG=$SAFE_BASE_TAG" >> $GITHUB_OUTPUT else echo "AIO_BASE_TAG=develop" >> $GITHUB_OUTPUT fi - echo "TARGET_BRANCH=${{ env.TARGET_BRANCH }}" >> $GITHUB_OUTPUT + echo "TARGET_BRANCH=$GH_TARGET_BRANCH" >> $GITHUB_OUTPUT - FLAT_BRANCH_NAME=$(echo "${{ env.TARGET_BRANCH }}" | sed 's/[^a-zA-Z0-9]/-/g') + FLAT_BRANCH_NAME=$(echo "$GH_TARGET_BRANCH" | sed 's/[^a-zA-Z0-9]/-/g') echo "FLAT_BRANCH_NAME=$FLAT_BRANCH_NAME" >> $GITHUB_OUTPUT - id: checkout_files