Sanitize user input in github workflow

storybookjs · Nov 28, 2022 · ffb8558 · ffb8558
1 parent 6127de5
commit ffb8558
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/.github/workflows/trigger-circle-ci-workflow.yml b/.github/workflows/trigger-circle-ci-workflow.yml
@@ -17,13 +17,14 @@ jobs:
         env:
           # Stored as environment variable to prevent script injection
           REF_NAME: ${{ github.ref_name }}
+          PR_REF_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
           if  [ "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then
             export BRANCH=pull/${{ github.event.pull_request.number }}/head
             elif [ "${{ github.event_name }}" = "push" ]; then
             export BRANCH="$REF_NAME"
             else
-            export BRANCH=${{ github.event.pull_request.head.ref }}
+            export BRANCH="$PR_REF_NAME"
           fi
           echo "$BRANCH"
           echo "branch=$BRANCH" >> $GITHUB_ENV
@@ -41,13 +42,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "ci"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-pr-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -59,13 +61,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "pr"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-merged-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -77,13 +80,14 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "merged"
                   }
                 }'
         env:
           CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}
   trigger-daily-tests:
     runs-on: ubuntu-latest
     needs: get-branch
@@ -95,10 +99,11 @@ jobs:
             -H "Content-Type: application/json" \
             -H "Circle-Token: $CIRCLE_CI_TOKEN" \
             -d '{
-                  "branch": "${{ needs.get-branch.outputs.branch }}",
+                  "branch": "$BRANCH",
                   "parameters": {
                     "workflow": "daily"
                   }
                 }'
         env:
-          CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
+          BRANCH: ${{ needs.get-branch.outputs.branch }}