Sanitize pull request title before passing to gitlint #1624
Comments
terriko
changed the title
|
Took a deeper look at this. As we currently invoke gitlint, it could execute bash commands: https://securitylab.github.com/research/github-actions-untrusted-input/ It's a little embarrassing that I didn't notice this earlier since I'm literally trained for this kind of error, but since I have to approve pull requests until a new contributor has code merged, at least only existing contributors could have taken advantage of this (and it would have been reasonably obvious in the PR logs). I've merged a fix already. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, if your pull request has a bracket in it (e.g. "ci: upgrade black (fixes #1621)") then gitlint fails.
I rather like having brackets in pull requests to denote such fixes. can we fix how we pass the commit message to gitlint so this will work going forwards?
The text was updated successfully, but these errors were encountered: