Securing input values

[cmboling]

Adding documentation to provide guidance on how to avoid injections using this action. Adding intermediate environment variables will help avoid this issue.

The other approach is to refactor the action.yml, and let the action directly use the envs, provided the envs are absolutely set by users who are using this action. Keep in mind this approach would be a breaking change.

Let me know if you have a preference for either approach or have another idea. 🤞🏼

[zbazztian]

@cmboling Thanks, I agree that this should be improved indeed.

I am not sure I understand your second suggestions. Couldn't we just use this to modify the action along the lines of:

name: 'Test action'
description: "Testing"
inputs:
  jira_url:
    description: 'URL of the JIRA instance'
    required: true
runs:
  using: composite
  steps:
  - name: Run a test
    env:
      JIRA_URL: '${{ inputs.jira_url }}'
    shell: bash
    run: |
      echo "$JIRA_URL"

I believe this wouldn't break anything while fixing the issue or am I missing a detail?

By the way: It's a shame to see you leave! I wish you good luck with whatever you will be doing next!

[cmboling]

Ahh yea very true!!! Not sure what I was thinking when I originally thought about the issue, but yea I definitely think your code snippet actually resolves the issue! 💯

[zbazztian]

I created a PR for the changes. I reckon you are off this project now, so did not mention you there. This is just FYI. I plan to create a new release once it is merged. Cheers!