Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid running malicious inputs as shell commands in the GitHub Actions #420

Merged
merged 1 commit into from
May 13, 2024
Merged

Avoid running malicious inputs as shell commands in the GitHub Actions #420

merged 1 commit into from
May 13, 2024

Conversation

eason9487
Copy link
Member

Changes proposed in this Pull Request:

This PR avoids running malicious inputs as shell commands in the GitHub Actions.

Although these input values are entered by devs who have access to this repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.

Checks:

  • Does your code follow the WordPress coding standards?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully run tests with your changes locally?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Detailed test instructions:

  1. Please refer to the PR Avoid running malicious inputs as shell commands in the GitHub Actions google-listings-and-ads#2397 that fixes the same issue.
  2. Check if the "Install WP release candidate" and "Install WC release candidate" steps can work as before when entering valid versions
  3. Check if the "Install WP tests" step can work as before when entering valid versions

Changelog entry

@eason9487 eason9487 requested a review from a team May 10, 2024 09:05
@eason9487 eason9487 self-assigned this May 10, 2024
@github-actions github-actions bot added the changelog: dev Developer-facing only change. label May 10, 2024
martynmjones
martynmjones approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@martynmjones martynmjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @eason9487, thanks for adding extra protections for the input values!

Reviewed the changes and all looks good ✅

@eason9487 eason9487 merged commit 33105d0 into trunk May 13, 2024
11 checks passed
@eason9487 eason9487 deleted the dev/avoid-gha-malicious-input branch May 13, 2024 02:15
@puntope puntope mentioned this pull request May 14, 2024
Merged
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martynmjones martynmjones martynmjones approved these changes

Assignees

@eason9487 eason9487

Labels
changelog: dev Developer-facing only change.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eason9487 @martynmjones