This is an automated email from the ASF dual-hosted git repository.
lidavidm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-adbc.git
The following commit(s) were added to refs/heads/main by this push:
new 6f1a381ff fix(ci): Sanitize PR title (#1677)
6f1a381ff is described below
commit 6f1a381ff9a503a4cf018c11b1514a4e34a8df0b
Author: Adnan Khan <[email protected]>
AuthorDate: Wed Mar 27 08:11:35 2024 -0400
fix(ci): Sanitize PR title (#1677)
My scanner picked up this vulnerability added recently. Just making a PR
to fix it instead of going through the whole ASF reporting process
because the workflow permissions are locked down to just PR and issues
write and there are no secrets, so the worst someone could do is be a
nuisance or try cache poisoning (which attackers don't know how to
do...yet).
Ref:
https://securitylab.github.com/research/github-actions-untrusted-input/
---
.github/workflows/dev_pr.yml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/dev_pr.yml b/.github/workflows/dev_pr.yml
index 1971128ec..a001695cf 100644
--- a/.github/workflows/dev_pr.yml
+++ b/.github/workflows/dev_pr.yml
@@ -53,5 +53,7 @@ jobs:
ref: "${{ github.event.pull_request.merge_commit_sha }}"
- name: Check PR title for conventional commit format
+ env:
+ PR_TITLE: ${{ github.event.pull_request.title }}
run: |
- python .github/workflows/dev_pr/title_check.py $(pwd)/pr_checkout
"${{ github.event.pull_request.title }}"
+ python .github/workflows/dev_pr/title_check.py $(pwd)/pr_checkout
"$PR_TITLE"
