yoanm
diff --git a/‎.github/actions/reports-group/codacy-uploader-action/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/codacy-uploader-action/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/codecov-uploader-action/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/codecov-uploader-action/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/create-action/dist/index.js‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/create-action/dist/index.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/create-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/create-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/find-action/dist/index.js‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/find-action/dist/index.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/find-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/find-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/load-metadata-action/dist/index.js‎
Lines changed: 2 additions & 2 deletions b/‎.github/actions/reports-group/load-metadata-action/dist/index.js‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/actions/reports-group/load-metadata-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/reports-group/load-metadata-action/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/reports-group/load-metadata-action/index.js‎
Lines changed: 0 additions & 1 deletion b/‎.github/actions/reports-group/load-metadata-action/index.js‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/actions/reports-group/node-sdk/src/path.js‎
Lines changed: 4 additions & 4 deletions b/‎.github/actions/reports-group/node-sdk/src/path.js‎
Lines changed: 4 additions & 4 deletions
@@ -67,7 +67,7 @@ runs:
           const {METADATA} = process.env;
           
           const metadata = JSON.parse(METADATA);
-          core.setOutput('coverage-reports', metadata.reportPaths); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
+          core.setOutput('coverage-reports', metadata.reports); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
 
     - name: Ensure at least one report to upload
       if: ${{ '' == steps.build-uploader-options.outputs.coverage-reports }}
 
@@ -106,7 +106,7 @@ runs:
           
           const metadata = JSON.parse(METADATA);
           core.setOutput('name', metadata.name);
-          core.setOutput('files', metadata.reportPaths); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
+          core.setOutput('files', metadata.reports); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
           if (metadata.flags.length > 0) {
             core.setOutput('flags', metadata.flags);
           }
 
@@ -53,7 +53,6 @@ async function run() {
                     reports: formatList('reports'),
                     flags: formatList('flags'),
                     path: formatScalar('path'),
-                    reportPaths: formatList('reportPaths')
                 };
             }
 
 
@@ -63,7 +63,7 @@ function trustFrom(workspacePath) {
         },
         /**
          * @param {string} untrustedGroupPath
-         * @returns {{name: string, format: string, reports: string[], flags: string[], path: string, reportPaths: string[]}}
+         * @returns {{name: string, format: string, reports: string[], flags: string[], path: string}}
          */
         trustedMetadataUnder: (untrustedGroupPath) => {
             const trustedPath = helpers.trust(path.join(untrustedGroupPath, METADATA_FILENAME));
@@ -72,15 +72,15 @@ function trustFrom(workspacePath) {
 
             const untrustedMetadata = JSON.parse(content);
             const trustedGroupPath = path.dirname(trustedPath);
-            const trustedReportPaths = untrustedMetadata.reports.map(r => helpers.trust(r));
+            // Ensure `reports` hasn't been tampered with ! (may lead to files outside the directory)
+            const trustedReportPathsConverter = trustFrom(trustedGroupPath);
 
             return {
                 name: untrustedMetadata.name,
                 format: untrustedMetadata.format,
-                reports: trustedReportPaths,
+                reports: untrustedMetadata.reports.map(r => trustedReportPathsConverter.trust(path.join(trustedGroupPath, r))),
                 flags: untrustedMetadata.flags,
                 path: withTrailingSeparator(trustedGroupPath),
-                reportPaths: trustedReportPaths.map(trustedFp => path.join(trustedGroupPath, trustedFp)),
             };
         }
     };
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ runs:`
`106`	`106`
`107`	`107`	`const metadata = JSON.parse(METADATA);`
`108`	`108`	`core.setOutput('name', metadata.name);`
`109`		- core.setOutput('files', metadata.reportPaths); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
	`109`	+ core.setOutput('files', metadata.reports); // Trusted path as it comes from trusted metadata (=from `reports-group/load-metadata`)
`110`	`110`	`if (metadata.flags.length > 0) {`
`111`	`111`	`core.setOutput('flags', metadata.flags);`
`112`	`112`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,6 @@ async function run() {`
`53`	`53`	`reports: formatList('reports'),`
`54`	`54`	`flags: formatList('flags'),`
`55`	`55`	`path: formatScalar('path'),`
`56`		`- reportPaths: formatList('reportPaths')`
`57`	`56`	`};`
`58`	`57`	`}`
`59`	`58`