Closed diogoteles08 closed 2 months ago
@diogoteles08 Thanks for your contribution! We'll take a look. If not done already, please sign the CLA - https://github.com/optimizely/swift-sdk/blob/master/CONTRIBUTING.md
This is going into our next sprint under ticket FSSDK-10665
@diogoteles08 this issue has been fixed with the PR
Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.
In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.
You can find more information about this on this github documentation or in this gitguardian blogpost.
Cheers!