Skip to content

Commit 1751d3e

Browse files
fix(action): escape inputs to prevent expression injection
1 parent 40b97d1 commit 1751d3e

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

action.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ runs:
3535
- name: Install commitlint
3636
shell: bash
3737
run: |
38-
npm install --silent --global commitlint@${{ inputs.version }}
38+
npm install --silent --global commitlint@${{ toJSON(inputs.version) }}
3939
4040
if [[ '${{ runner.debug }}' == 1 ]]; then
4141
commitlint --version
@@ -58,10 +58,10 @@ runs:
5858
)
5959
6060
if [[ $RULES_LENGTH == 0 ]]; then
61-
npm install --silent --no-save ${{ inputs.config }}
61+
npm install --silent --no-save ${{ toJSON(inputs.config) }}
6262
cat <<'EOF' > .commitlintrc.json
6363
{
64-
"extends": ["${{ inputs.config }}"],
64+
"extends": [${{ toJSON(inputs.config) }}],
6565
"rules": {
6666
"body-max-line-length": [1, "always", 100],
6767
"footer-max-line-length": [1, "always", 100]
@@ -72,7 +72,7 @@ runs:
7272
7373
- name: Run commitlint
7474
shell: bash
75-
run: commitlint --from=${{ inputs.from }}
75+
run: commitlint --from=${{ toJSON(inputs.from) }}
7676

7777
- name: Cleanup
7878
shell: bash

0 commit comments

Comments
 (0)