fix: avoid injection risks when parsing PR title (#748)

2023-11-07 22:01:54 -08:00 · 2023-11-07 22:01:54 -08:00 · f3913c6c99
parent 261703ddba
commit f3913c6c99
1 changed files with 4 additions and 13 deletions
--- a/.github/workflows/test-e2e-pr.yml
+++ b/.github/workflows/test-e2e-pr.yml
@ -2,7 +2,6 @@ name: E2E Test PR
 run-name: E2E Test PR--${{ github.event.pull_request.title }}
 on:
  pull_request:
-    branches: [dev, release, main]
    types: [opened, reopened, synchronize, edited]

 concurrency:
@ -13,9 +12,6 @@ jobs:
  parse-components:
    name: Parse Affected Components
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-      issues: write
    outputs:
      testComponents: ${{ steps.parseTitle.outputs.testComponents }}
    steps:
@ -24,27 +20,22 @@ jobs:
        uses: actions/github-script@v6
        with:
          script: |
-            const prTitle = '${{ github.event.pull_request.title }}'
+            const prTitle = context.payload.pull_request.title
            const regex = /\[(.*?)\]/
            const matches = prTitle.match(regex)
            if (matches && matches.length > 1 && matches[1]) {
-              let components = matches[1].split(',').map(c => `${c.trim()}/`).filter(c => c)
+              let components = matches[1].split(',').map(c => c.trim()).filter(c => /^[a-z\-]+$/.test(c)).map(c => `${c}/`)
              components = [...new Set(components)].slice(0, 3).join(' ')
-              core.exportVariable('testComponents', components)
+              core.setOutput('testComponents', components)
            } else {
              const warningString =`
-              **[warning]** The component to be tested is missing. (This warning is from ${{ github.workflow }})
+              The component to be tested is missing.

              The title of the Pull request should look like "fix(vue-renderless): [action-menu, alert] fix xxx bug".
              
              Please make sure you've read our [contributing guide](https://github.com/opentiny/tiny-vue/blob/dev/CONTRIBUTING.md)
              `
              core.warning(warningString)
-              try {
-                github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: warningString })
-              } catch(err) {
-                core.error(err)
-              }
            }
  pr-test:
    if: ${{ needs.parse-components.outputs.testComponents }}