Unset/reject environment variables that may unexpectedly affect bash

behavior

action.yml

@@ -22,7 +22,10 @@ runs:
   using: composite
   steps:
     - run: |
-        set -eu
+        if /usr/bin/env | grep -Eq '^BASH_FUNC_'; then
+          printf '::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons\n'
+          exit 1
+        fi
         if ! command -v bash >/dev/null; then
           if grep -Eq '^ID=alpine' /etc/os-release; then
             printf '::group::Install packages required for install-action (bash)\n'
@@ -41,7 +44,7 @@ runs:
           fi
         fi
         bash --noprofile --norc "${GITHUB_ACTION_PATH:?}/main.sh"
-      shell: sh
+      shell: /usr/bin/env -u ENV -u BASH_ENV -u CDPATH -u SHELLOPTS -u BASHOPTS /bin/sh -eu {0} # zizmor: ignore[misfeature] false positive
       env:
         # NB: Sync with Windows case.
         INPUT_TOOL: ${{ inputs.tool }}
@@ -54,6 +57,15 @@ runs:
     # https://github.com/actions/partner-runner-images/issues/169
     - run: |
         Set-StrictMode -Version Latest
+        if (Test-Path "Env:ENV") { Remove-Item Env:\ENV }
+        if (Test-Path "Env:BASH_ENV") { Remove-Item Env:\BASH_ENV }
+        if (Test-Path "Env:CDPATH") { Remove-Item Env:\CDPATH }
+        if (Test-Path "Env:SHELLOPTS") { Remove-Item Env:\SHELLOPTS }
+        if (Test-Path "Env:BASHOPTS") { Remove-Item Env:\BASHOPTS }
+        if (Test-Path "Env:BASH_FUNC_*") {
+          Write-Output "::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons"
+          exit 1
+        }
         for ($i=1; $i -le 10; $i++) {
           $prev_err_action = $ErrorActionPreference
           $ErrorActionPreference = "Continue"