From 60c00a67ddbd7a5d5e8e5c58790e326ae95a3d8b Mon Sep 17 00:00:00 2001 From: Jeffrey Heckey Date: Fri, 26 Sep 2025 22:10:00 +0000 Subject: [PATCH] Preventing script injection attacks Ref: https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks * Replaced github variables with temporary variables * Put URL in quotes for env var substitutions --- .github/workflows/code-freeze.yml | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml index e3e528c..9d6d4cb 100644 --- a/.github/workflows/code-freeze.yml +++ b/.github/workflows/code-freeze.yml @@ -20,13 +20,24 @@ jobs: - name: Fetch PR data and check if merge allowed if: env.FROZEN == 'true' env: - PR_TITLE: ${{ github.event.pull_request.title }} - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPO: ${{ github.repository }} + GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} run: | + PR_DATA=$(curl -s \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/$GITHUB_REPO/pulls/$GITHUB_PR_NUMBER)" + BRANCH_NAME=$(echo $PR_DATA | jq .head.ref -r) + PR_TITLE=$(echo $PR_DATA | jq .title -r) + + echo $BRANCH_NAME + echo $PR_TITLE + # if it's not a critical fix - if ! [[ "$PR_TITLE" == fix(critical):* ]]; then + if ! [[ "$PR_TITLE" == fix\(critical\):* ]]; then # and there's an unfrozen prefix - if [[ -n "${UNFROZEN_PREFIX:-}" ]]; then + if ! [[ -z $UNFROZEN_PREFIX ]]; then # check if the branch matches unfrozen prefix if [[ "$BRANCH_NAME" != $UNFROZEN_PREFIX* ]]; then echo "Error: You can only merge from branches that start with '$UNFROZEN_PREFIX', or PRs titled with prefix 'fix(critical): '." @@ -37,4 +48,4 @@ jobs: echo "Error: You can only merge PRs titled with prefix 'fix(critical): '." exit 1 fi - fi \ No newline at end of file + fi