From fe2679f35165b9be0e755510a1a072661d418a6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= <vincent.stehle@arm.com>
Date: Thu, 23 May 2024 17:50:00 +0200
Subject: [PATCH] CI: prevent script injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Treat github.event.pull_request.title as untrusted; use an intermediate
environment variable to prevent script injections.

Suggested-by: Stephen Paulger <Stephen.Paulger@arm.com>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
---
 .github/workflows/main.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index bd07540..9b9b7a6 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -27,6 +27,8 @@ jobs:
         # and only in the following cases:
         # - Push of a tag or to the main branch
         # - Pull request opened for the main branch of the main repository.
+        env:
+            PR_TITLE: ${{ github.event.pull_request.title }}
         if: ${{ github.repository == 'ARM-software/ebbr' }}
         run: |
           case "${{ github.event_name }}" in
@@ -43,7 +45,7 @@ jobs:
             if [ "${{ github.event.action }}" == opened ] &&
                [ "${{ github.event.pull_request.base.ref }}" == main ]; then
               msg="Pull request ${{ github.event.number }}"
-              msg="$msg (\"${{ github.event.pull_request.title }}\")"
+              msg="$msg (\"$PR_TITLE\")"
               msg="$msg ${{ github.event.action }}"
               url="${{ github.event.pull_request.html_url }}"
             fi ;;