Fix script injection risk by passing inputs via env vars

illera88 · illera88 · commit 98fac3d0c464 · 2026-02-06T10:44:06.000-08:00
Move action input interpolation from the shell script body into the
env block. This prevents potential script injection via crafted input
values, since environment variables are assigned before the shell
interprets the script — values can never break out of their string
context.

This also eliminates the heredoc complexity, improving readability.
diff --git a/action.yml b/action.yml
@@ -48,20 +48,14 @@ runs:
   - name: Decide whether the input jobs succeeded or failed
     id: outcome
     env:
+      INPUT_ALLOWED_FAILURES: ${{ inputs.allowed-failures }}
+      INPUT_ALLOWED_SKIPS: ${{ inputs.allowed-skips }}
+      INPUT_JOBS: ${{ inputs.jobs }}
       PYTHONPATH: ${{ github.action_path }}/src
     run: |
       python -m normalize_needed_jobs_status \
-      "$(cat << EOM
-        ${{ inputs.allowed-failures }}
-      EOM
-      )" \
-      "$(cat << EOM
-        ${{ inputs.allowed-skips }}
-      EOM
-      )" \
-      "$(cat << EOM
-        ${{ inputs.jobs }}
-      EOM
-      )"
+        "$INPUT_ALLOWED_FAILURES" \
+        "$INPUT_ALLOWED_SKIPS" \
+        "$INPUT_JOBS"
     shell: bash
 ...
