Unset/reject environment variables that may unexpectedly affect bash

behavior
This commit is contained in:
Taiki Endo
2026-04-19 10:14:16 +09:00
parent ff5a208d55
commit e15ecae65f
3 changed files with 17 additions and 4 deletions

View File

@@ -22,7 +22,10 @@ runs:
using: composite
steps:
- run: |
set -eu
if /usr/bin/env | grep -Eq '^BASH_FUNC_'; then
printf '::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons\n'
exit 1
fi
if ! command -v bash >/dev/null; then
if grep -Eq '^ID=alpine' /etc/os-release; then
printf '::group::Install packages required for install-action (bash)\n'
@@ -41,7 +44,7 @@ runs:
fi
fi
bash --noprofile --norc "${GITHUB_ACTION_PATH:?}/main.sh"
shell: sh
shell: /usr/bin/env -u ENV -u BASH_ENV -u CDPATH -u SHELLOPTS -u BASHOPTS /bin/sh -eu {0} # zizmor: ignore[misfeature] false positive
env:
# NB: Sync with Windows case.
INPUT_TOOL: ${{ inputs.tool }}
@@ -54,6 +57,15 @@ runs:
# https://github.com/actions/partner-runner-images/issues/169
- run: |
Set-StrictMode -Version Latest
if (Test-Path "Env:ENV") { Remove-Item Env:\ENV }
if (Test-Path "Env:BASH_ENV") { Remove-Item Env:\BASH_ENV }
if (Test-Path "Env:CDPATH") { Remove-Item Env:\CDPATH }
if (Test-Path "Env:SHELLOPTS") { Remove-Item Env:\SHELLOPTS }
if (Test-Path "Env:BASHOPTS") { Remove-Item Env:\BASHOPTS }
if (Test-Path "Env:BASH_FUNC_*") {
Write-Output "::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons"
exit 1
}
for ($i=1; $i -le 10; $i++) {
$prev_err_action = $ErrorActionPreference
$ErrorActionPreference = "Continue"