Merge pull request #90 from fish-shop/harden-action

Harden action handling of untrusted inputs
fish-shop · Aug 9, 2024 · c2cb113 · c2cb113
2 parents c7ed2fd + 4bf35d5
commit c2cb113
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 22 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -45,13 +45,13 @@ jobs:
         continue-on-error: true
         uses: ./
         with:
-          pattern: valid-syntax.fish
+          patterns: valid-syntax.fish
       - name: Syntax check invalid fish file
         id: check-invalid-file
         continue-on-error: true
         uses: ./
         with:
-          pattern: invalid-syntax.fish
+          patterns: invalid-syntax.fish
       - name: Check outcomes
         run: |
           exit_code=0

diff --git a/README.md b/README.md
@@ -25,22 +25,22 @@ Add a suitable `uses` step to your GitHub [workflow](https://docs.github.com/en/
   uses: fish-shop/syntax-check@v1
 ```
 
-By default, all files under `$GITHUB_WORKSPACE` with a `.fish` file extension are checked. To specify a different file pattern to match against, provide a value for the `pattern` input. For example, to check all `.fish` files starting in the `src` directory and descending into subdirectories:
+By default, all files under `$GITHUB_WORKSPACE` with a `.fish` file extension are checked. To override the default behaviour, provide one or more space-seperated pattern values to the `patterns` input. For example, to check all `.fish` files starting in the `src` directory and descending into subdirectories:
 
 ```yaml
 - name: Syntax check
   uses: fish-shop/syntax-check@v1
   with:
-    pattern: src/**.fish
+    patterns: src/**.fish
 ```
 
-Multiple space-separated `pattern` values are supported and can include [wildcards](https://fishshell.com/docs/current/language.html#expand-wildcard) and [brace expansion](https://fishshell.com/docs/current/language.html?highlight=brace+expansion#brace-expansion):
+Each pattern value may include [wildcards](https://fishshell.com/docs/current/language.html#expand-wildcard) and/or [brace expansion](https://fishshell.com/docs/current/language.html?highlight=brace+expansion#brace-expansion):
 
 ```yaml
 - name: Syntax check
   uses: fish-shop/syntax-check@v1
   with:
-    pattern: init.fish functions/**.fish {conf.d,completions}/**.fish tests/???-*.fish
+    patterns: init.fish functions/**.fish {conf.d,completions}/**.fish tests/???-*.fish
 ```
 
 ## Action versions

diff --git a/action.yml b/action.yml
@@ -4,33 +4,43 @@ branding:
   icon: 'check'
   color: 'green'
 inputs:
-  pattern:
-    description: 'File name pattern'
+  patterns:
+    description: 'File patterns to match against when running syntax checks'
     required: false
     default: '**.fish'
 runs:
   using: "composite"
   steps:
-    - run: |
+    - name: Syntax check fish shell files
+      env:
+        PATTERNS: ${{ inputs.patterns }}
+      run: |
         set -gx TERM xterm-256color
 
         set -l passes 0
         set -l failures 0
 
-        for file in ${{ inputs.pattern }}
-            echo -n "  "
-            set output (fish --no-execute $file 2>&1)
-            if test $status -ne 0
-                set_color red; and echo -n "✖"; and set_color normal
-                echo " $file"
-                for line in (string split $output)
-                    echo "      $line"
+        for pattern in (string split --no-empty -- " " $PATTERNS)
+            set -l escaped (string escape --style=script --no-quoted -- $pattern)
+            set -l escaped (string replace -r -a -- '\\\([?*{}])' '$1' $escaped)
+
+            eval set -l files $escaped
+
+            for file in $files
+                echo -n "  "
+                set output (fish --no-execute $file 2>&1)
+                if test $status -ne 0
+                    set_color red; and echo -n "✖"; and set_color normal
+                    echo " $file"
+                    for line in (string split -- $output)
+                        echo "      $line"
+                    end
+                    set failures (math $failures + 1)
+                else
+                    set_color green; and echo -n "✔"; and set_color normal
+                    echo " $file"
+                    set passes (math $passes + 1)
                 end
-                set failures (math $failures + 1)
-            else
-                set_color green; and echo -n "✔"; and set_color normal
-                echo " $file"
-                set passes (math $passes + 1)
             end
         end