From 6be644738af14a164c95f0f2a81fba266584520a Mon Sep 17 00:00:00 2001
From: Sandeep Nishad <sandeep.nishad1@ibm.com>
Date: Thu, 25 Apr 2024 13:19:56 +0530
Subject: [PATCH] ci: mitigate script injection attack in
 test_weaver-pre-release.yaml

Fixes the script injection attack mentioned here: https://hackerone.com/reports/2471956

Signed-off-by: Sandeep Nishad <sandeep.nishad1@ibm.com>
---
 .github/workflows/test_weaver-pre-release.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test_weaver-pre-release.yaml b/.github/workflows/test_weaver-pre-release.yaml
index 1ad860c879..b15c2bfc03 100644
--- a/.github/workflows/test_weaver-pre-release.yaml
+++ b/.github/workflows/test_weaver-pre-release.yaml
@@ -23,9 +23,11 @@ jobs:
       
       - name: Ignore if not a release PR
         id: early
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run : |
           status="skip"
-          if echo "${{ github.event.pull_request.title }}" | grep -q "chore(release)"; then
+          if echo ${TITLE} | grep -q "chore(release)"; then
             status="continue"
           fi
           echo "status=$status" >> $GITHUB_OUTPUT
@@ -39,10 +41,12 @@ jobs:
       - uses: actions/checkout@v4.1.1
       
       - name: Get release verison from PR title
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           # Assuming release PR follows pattern: chore(release): publish vA.B.C
           # Split PR title by space, and take 3rd word
-          VERSION=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 3)
+          VERSION=$(echo "${TITLE}" | cut -d ' ' -f 3)
           # Strip "v" from version
           VERSION=$(echo $VERSION | sed -e 's/^v//')
           echo "VERSION=$VERSION" >> $GITHUB_ENV
@@ -146,10 +150,12 @@ jobs:
       - uses: actions/checkout@v4.1.1
       
       - name: Get release verison from PR title
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           # Assuming release PR follows pattern: chore(release): publish vA.B.C
           # Split PR title by space, and take 3rd word
-          VERSION=$(echo "${{ github.event.pull_request.title }}" | cut -d ' ' -f 3)
+          VERSION=$(echo "${TITLE}" | cut -d ' ' -f 3)
           # Strip "v" from version
           VERSION=$(echo $VERSION | sed -e 's/^v//')
           echo "VERSION=$VERSION" >> $GITHUB_ENV