ppkarwasz commented on PR #344: URL: https://github.com/apache/logging-parent/pull/344#issuecomment-2710079948
> @ppkarwasz, can you explain the hardening practiced by replacing `input.foo` statements with shell environment variables? This follows the [Security Hardening for GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks) guide. Let assume the `inputs.foo` contains untrusted data, for example `3.0.0"; echo Hello world!`. Then: ``` export version="${{ inputs.foo }}" ``` will execute the `echo` command. As noted before the problem currently does not exist, since the inputs are either hard coded or come from trusted sources, but removing those potential problems is very cheap. I am sure that CodeQL will at some point mark issue warnings for those step definitions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
