Can I pass untrusted data to @actions/core commands? #702
Description
Hi there! I've got an action that uses the toolkit, called commitlint-github-action. BTW thanks for the amazing work! ❤️
This action used to call 2 features of this package: core.setFailed and core.setOutput. We logged commit messages information on these 2 commands.
After this announcement regarding CVE-2020-15228, I needed to disable command execution because I log untrusted data to the STDOUT, as they advised:
If you need to log untrusted information such as issue titles, bodies, or commit messages to STDOUT we recommend that you disable command processing prior to doing that.
I see that support for set-env and add-path through commands has been removed from runners, so I was tempted to update my action to issue commands again. But then I noticed this feature was not completely removed from runners as people can set the ACTIONS_ALLOW_UNSECURE_COMMANDS env var at the job level. So if someone enables the commitlint action on forked PRs, there's still a vulnerability on my action since people can add the env var on forked PRs.
All this bases on the assumption that the toolkit can't guarantee that the commands done through @actions/core are safe. But is that assumption correct? I see that there is some logic to escape data, would that be enough to call core.setFailed and core.setOutput without worrying that I'm passing untrusted information to it?
Or if you confirm that I can't use commands even through @actions/core functions, do you think there's an alternative solution that doesn't involve disabling workflow commands? 🙌