actions/install-action
1
0
Fork 0
mirror of https://github.com/taiki-e/install-action.git synced 2026-04-21 15:10:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Unset/reject environment variables that may unexpectedly affect bash

Browse Source 
behavior
This commit is contained in:
Taiki Endo
2026-04-19 10:14:16 +09:00
parent ff5a208d55
commit e15ecae65f
3 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/.cspell/project-dictionary.txt vendored
View File

@@ -2,6 +2,7 @@ almalinux
archlinux archlinux
binstall binstall
callgrind callgrind
CDPATH
coreutils coreutils
covgate covgate
cyclonedx cyclonedx

16
action.yml
View File

@@ -22,7 +22,10 @@ runs:
using: composite using: composite
steps: steps:
- run: | - run: |
set -eu if /usr/bin/env | grep -Eq '^BASH_FUNC_'; then
printf '::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons\n'
exit 1
fi
if ! command -v bash >/dev/null; then if ! command -v bash >/dev/null; then
if grep -Eq '^ID=alpine' /etc/os-release; then if grep -Eq '^ID=alpine' /etc/os-release; then
printf '::group::Install packages required for install-action (bash)\n' printf '::group::Install packages required for install-action (bash)\n'
@@ -41,7 +44,7 @@ runs:
fi fi
fi fi
bash --noprofile --norc "${GITHUB_ACTION_PATH:?}/main.sh" bash --noprofile --norc "${GITHUB_ACTION_PATH:?}/main.sh"
shell: sh shell: /usr/bin/env -u ENV -u BASH_ENV -u CDPATH -u SHELLOPTS -u BASHOPTS /bin/sh -eu {0} # zizmor: ignore[misfeature] false positive
env: env:
# NB: Sync with Windows case. # NB: Sync with Windows case.
INPUT_TOOL: ${{ inputs.tool }} INPUT_TOOL: ${{ inputs.tool }}
@@ -54,6 +57,15 @@ runs:
# https://github.com/actions/partner-runner-images/issues/169 # https://github.com/actions/partner-runner-images/issues/169
- run: | - run: |
Set-StrictMode -Version Latest Set-StrictMode -Version Latest
if (Test-Path "Env:ENV") { Remove-Item Env:\ENV }
if (Test-Path "Env:BASH_ENV") { Remove-Item Env:\BASH_ENV }
if (Test-Path "Env:CDPATH") { Remove-Item Env:\CDPATH }
if (Test-Path "Env:SHELLOPTS") { Remove-Item Env:\SHELLOPTS }
if (Test-Path "Env:BASHOPTS") { Remove-Item Env:\BASHOPTS }
if (Test-Path "Env:BASH_FUNC_*") {
Write-Output "::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons"
exit 1
}
for ($i=1; $i -le 10; $i++) { for ($i=1; $i -le 10; $i++) {
$prev_err_action = $ErrorActionPreference $prev_err_action = $ErrorActionPreference
$ErrorActionPreference = "Continue" $ErrorActionPreference = "Continue"

4
tools/tidy.sh
View File

@@ -27,14 +27,14 @@ fi
if [[ -n "${TIDY_DEV:-}" ]]; then if [[ -n "${TIDY_DEV:-}" ]]; then
image="ghcr.io/taiki-e/tidy:latest" image="ghcr.io/taiki-e/tidy:latest"
else else
image="ghcr.io/taiki-e/tidy@sha256:bce85a4321f80c09f2b68420e9149bcf7c085130ab1e1fca54443f76833cd184" image="ghcr.io/taiki-e/tidy@sha256:71def761a5585e83a2672c4051aee13cd886ad5571215aee52f193454bb3cdff"
fi fi
user="$(id -u):$(id -g)" user="$(id -u):$(id -g)"
workdir=$(pwd) workdir=$(pwd)
tmp=$(mktemp -d) tmp=$(mktemp -d)
trap -- 'rm -rf -- "${tmp:?}"' EXIT trap -- 'rm -rf -- "${tmp:?}"' EXIT
mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp} mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
touch -- "${tmp}"/dummy printf '' >"${tmp}"/dummy
code=0 code=0
color='' color=''
if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then