Use env to avoid script injection in CI workflow

hadolint / hadolint-action

GitHub action for Hadolint, A Dockerfile linting tool

MIT License

192 stars 50 forks source link

Use env to avoid script injection in CI workflow #62

Closed timmc-edx closed 1 year ago

timmc-edx commented 1 year ago

I haven't tested this, and I'm not sure if the output can contain anything usable in an exploit, but using env variables for untrusted input is recommended in general:

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack

lorenzo commented 1 year ago

bundled your changes with #68, thanks!