- 
                Notifications
    You must be signed in to change notification settings 
- Fork 195
Add new script injection input #332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
| Unfortunately this PR is not acceptable straight forward because 
 But it's good point that accessing  | 
| Sorry for the valid tests that I removed. The problem I want to fix with this PR is the use of this expression in run scripts  The solution is not to ban  We could change the  | 
| I propose a new solution for matching all element like in env I'm using  Sorry for all the commits I was confused with my branches and my local repo. | 
| I think banning  | 
| Hi @rhysd any update on this PR ? I've opened an issue with more details as you asked :) | 
78e9286    to
    0b49da7      
    Compare
  
    …he possibility to add wildcard in dangerous expressions
| Hi @rhysd , I've reverted the  However, I've kept the possibility to add wildcard entry to this  var envUntrustedInput = actionlint.NewUntrustedInputMap("env",
	actionlint.NewUntrustedInputMap("**"),
)
...
untrustedInputSearchRoots := actionlint.BuiltinUntrustedInputs
untrustedInputSearchRoots.AddRoot(envUntrustedInput)This way it doesn't impact actionlint but offer the possibility to catch other untrusted inputs. In my context I can catch this: I hope this suits you better. All the tests are OK so this should be better for you :) Don't hesitate if you have any remarks ! | 
| Hi @rhysd any comment since my last update ? Do you need additional information or something to help you with this PR ? | 
05e056b    to
    5aaa4ce      
    Compare
  
    b249531    to
    bdb47a5      
    Compare
  
    
I've added a new entry in BuiltinUntrustedInputs because I already saw something like this where It's possible to inject code in the runner from an opened issue:
I changed a lot of tests to make it work I hope it will be ok.