actions/changed-files
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request from GHSA-mcph-m25j-8j63

Browse Source 
* feat: add `safe_output` input enabled by default

* fix: migrate README to safe uses of interpolation

* fix: README `uses` typo

* fix: README examples to account for newlines

* fix: README examples missing `safe_output`

* fix: remove sanitization of `'`

* fix: also sanitize `|&;`
This commit is contained in:
Jorge
2023-12-22 22:07:32 +01:00
committed by GitHub
parent 089842a7a8
commit 0102c07446
6 changed files with 110 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/changedFilesOutput.ts
View File

@@ -43,7 +43,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
key: getOutputKey('added_files_count', outputPrefix),
@@ -64,7 +65,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -86,7 +88,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -108,7 +111,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -130,7 +134,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -152,7 +157,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -174,7 +180,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -199,7 +206,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -226,7 +234,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -314,7 +323,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({
@@ -419,7 +429,8 @@ export const setOutputsAndGetModifiedAndChangedFilesStatus = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
await setOutput({

3
src/inputs.ts
View File

@@ -34,6 +34,7 @@ export type Inputs = {
dirNamesDeletedFilesIncludeOnlyDeletedDirs: boolean
json: boolean
escapeJson: boolean
safeOutput: boolean
fetchDepth?: number
fetchSubmoduleHistory: boolean
sinceLastRemoteCommit: boolean
@@ -154,6 +155,7 @@ export const getInputs = (): Inputs => {
)
const json = core.getBooleanInput('json', {required: false})
const escapeJson = core.getBooleanInput('escape_json', {required: false})
const safeOutput = core.getBooleanInput('safe_output', {required: false})
const fetchDepth = core.getInput('fetch_depth', {required: false})
const sinceLastRemoteCommit = core.getBooleanInput(
'since_last_remote_commit',
@@ -272,6 +274,7 @@ export const getInputs = (): Inputs => {
dirNamesIncludeFilesSeparator,
json,
escapeJson,
safeOutput,
writeOutputFiles,
outputDir,
outputRenamedFilesAsDeletedAndAdded,

3
src/main.ts
View File

@@ -173,7 +173,8 @@ const getChangedFilesFromLocalGitHistory = async ({
value: allOldNewRenamedFiles.paths,
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json
json: inputs.json,
safeOutput: inputs.safeOutput
})
await setOutput({
key: 'all_old_new_renamed_files_count',

12
src/utils.ts
View File

@@ -1324,7 +1324,8 @@ export const setArrayOutput = async ({
writeOutputFiles: inputs.writeOutputFiles,
outputDir: inputs.outputDir,
json: inputs.json,
shouldEscape: inputs.escapeJson
shouldEscape: inputs.escapeJson,
safeOutput: inputs.safeOutput
})
}
@@ -1334,7 +1335,8 @@ export const setOutput = async ({
writeOutputFiles,
outputDir,
json = false,
shouldEscape = false
shouldEscape = false,
safeOutput = false
}: {
key: string
value: string | string[] | boolean
@@ -1342,6 +1344,7 @@ export const setOutput = async ({
outputDir: string
json?: boolean
shouldEscape?: boolean
safeOutput?: boolean
}): Promise<void> => {
let cleanedValue
if (json) {
@@ -1350,6 +1353,11 @@ export const setOutput = async ({
cleanedValue = value.toString().trim()
}
// if safeOutput is true, escape special characters for bash shell
if (safeOutput) {
cleanedValue = cleanedValue.replace(/[$()`|&;]/g, '\\$&')
}
core.setOutput(key, cleanedValue)
if (writeOutputFiles) {