Skip to content

Preview actions: de-duplicate and harden (regex + github-script injection) #35

Description

@mmcky

preview-netlify and preview-cloudflare share ~150 lines of near-identical logic (trust gate, change detection, PR comment), so bugs must be fixed twice. Consolidate, then harden once.

  • M9 — De-duplicate. Extract the shared change-detection + PR-comment logic into a script under scripts/ (or a small composite sub-action) reused by both. Reduces drift.
  • H7 — Regex hardening. lectures-dir is interpolated raw into a bash regex: preview-netlify/action.yml:74, preview-cloudflare/action.yml:77. Today every repo uses lectures so it's latent; a value with ./+/spaces misbehaves. Use printf '%q' or a whitelist.
  • N2 (security) — Script injection via untrusted file paths. Both actions interpolate PR-controlled file paths into the github-script JS body: const changedFiles = `${{ steps.detect-changes.outputs.changed-files }}`; (preview-netlify:159, preview-cloudflare:173). A filename containing a backtick or ${...} can break out of the template literal and run arbitrary JS holding github.token. Mitigated by the check-trust gate (forks/dependabot are skipped, so exploitation needs repo push access), but it's the canonical anti-pattern. Fix: pass values via env: and read process.env.

Related: #14 (cloudflare PR-comment URL).

Filed from the 2026-06-16 technical review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    maintenanceMaintenance tasks on the repositorysecuritySecurity hardening

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions