Skip to content

fix: update README docs for shallow cloning #4137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

skrobul
Copy link

@skrobul skrobul commented May 13, 2025

Current example for using trufflehog in GitHub actions with shallow cloning is unfortunately susceptible to a quoting injection.

Specifically, if any of the commits include the single quote mark, the whole workflow terminates with a syntax error because the jq can no longer calculate length of the commits array. In fact, jq is not even launched because it's really bash waiting for the single quote to be terminated when evaluating this expression:

$(jq length <<< '${{ toJson(github.event.commits) }}')

This can be triggered with an example commit message of that's my commit. In such case, the toJson() produces something similar to this:

[
    {
      "author": {
        "email": "skrobul@skrobul.com",
        "name": "Marek Skrobacki",
        "username": "skrobul"
      },
      // ...
      "id": "1743e414cff505efac7e38128974cfa39cd56332",
      "message": "that's my commit",
      "timestamp": "2025-05-13T10:33:04-05:00",
      // ...
    }
  ]

While technically the input here could be sanitized with additional filtering, I believe using shell scripting for this is far from ideal.

My alternative proposal uses GitHub's native github-script which offers slightly more safety and avoids shell escaping issues.

Current example for using trufflehog in GitHub actions with shallow
cloning is unfortunately susceptible to a quoting injection.

Specifically, if any of the commits include the single quote mark, the
whole workflow terminates with a syntax error because the `jq` can no
longer calculate length of the commits array. In fact, `jq` is not even
launched because it's really bash waiting for the single quote to be
terminated when evaluating this expression:

```bash
$(jq length <<< '${{ toJson(github.event.commits) }}')
```

This can be triggered with an example commit message of `that's my
commit`. In such case, the `toJson()` produces something similar to
this:

```jsonc
[
    {
      "author": {
        "email": "skrobul@skrobul.com",
        "name": "Marek Skrobacki",
        "username": "skrobul"
      },
      // ...
      "id": "1743e414cff505efac7e38128974cfa39cd56332",
      "message": "that's my commit",
      "timestamp": "2025-05-13T10:33:04-05:00",
      // ...
    }
  ]
```

While technically the input here could be sanitized with additional
filtering, I believe using shell scripting for this is far from ideal.

My alternative proposal uses GitHub's native `github-script` which
offers slightly more safety and avoids shell escaping issues.
@skrobul skrobul requested a review from a team as a code owner May 13, 2025 13:08
@CLAassistant
Copy link

CLAassistant commented May 13, 2025

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants