fix: check-pr-title job has prompt injection (#18)
All checks were successful
CI / Check PR Title (push) Has been skipped
CI / Go Lint (push) Successful in 36s
CI / Makefile Lint (push) Successful in 35s
CI / Markdown Lint (push) Successful in 22s
CI / Unit Tests (push) Successful in 35s
CI / Fuzz Tests (push) Successful in 1m6s
CI / Mutation Tests (push) Successful in 1m10s
All checks were successful
CI / Check PR Title (push) Has been skipped
CI / Go Lint (push) Successful in 36s
CI / Makefile Lint (push) Successful in 35s
CI / Markdown Lint (push) Successful in 22s
CI / Unit Tests (push) Successful in 35s
CI / Fuzz Tests (push) Successful in 1m6s
CI / Mutation Tests (push) Successful in 1m10s
## Description Currently, the `check-pr-title` job has a security vulnerability. If you give the PR a bad title, the job can run arbitrary code. ## Changes - Fix prompt injection by pulling the PR title as an environment variable. - Also, restricted the job to only `pull_request` trigger. ### Design Decisions - It is better to pull out this job into a separate workflow with a unique trigger, but I chose not to because it is currently only one job. ## Checklist - [x] Tests pass - [x] Docs updated Reviewed-on: #18 Co-authored-by: M.V. Hutz <git@maximhutz.me> Co-committed-by: M.V. Hutz <git@maximhutz.me>
This commit was merged in pull request #18.
This commit is contained in:
@@ -9,9 +9,11 @@ jobs:
|
||||
check-pr-title:
|
||||
name: Check PR Title
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event_name == 'pull_request'
|
||||
env:
|
||||
TITLE: ${{ gitea.event.pull_request.title }}
|
||||
steps:
|
||||
- run: |
|
||||
TITLE="${{ gitea.event.pull_request.title }}"
|
||||
if ! echo "$TITLE" | grep -qE '^(WIP: )?(feat|fix|docs|chore|ci|test|refactor|perf|build|style|revert)(\(.+\))?(!)?: .+'; then
|
||||
echo "::error::Pull Request title must follow conventional commits"
|
||||
exit 1
|
||||
|
||||
Reference in New Issue
Block a user