Revert "refactor: escape user input to prevent script injection (#56)" (

#61) This reverts commit c1bcacc.
nrwl · Sep 2, 2022 · af5bb07 · af5bb07
1 parent c1bcacc
commit af5bb07
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 40 deletions.
diff --git a/action.yml b/action.yml
@@ -36,10 +36,8 @@ runs:
   steps:
     - name: Set base and head SHAs used for nx affected
       id: setSHAs
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
       shell: bash
-      run: node $GITHUB_ACTION_PATH/dist/index.js
+      run: node $GITHUB_ACTION_PATH/dist/index.js ${{ github.token }} ${{ inputs.main-branch-name }} ${{ inputs.error-on-no-successful-workflow }} ${{ inputs.last-successful-event }} ${{ inputs.working-directory }} ${{ inputs.workflow-id }}
 
     - name: Log base and head SHAs used for nx affected
       shell: bash

diff --git a/dist/index.js b/dist/index.js
@@ -62798,11 +62798,12 @@ const { execSync } = __nccwpck_require__(3129);
 const { existsSync } = __nccwpck_require__(5747);
 
 const { runId, repo: { repo, owner }, eventName } = github.context;
-const mainBranchName = core.getInput('main-branch-name');
-const errorOnNoSuccessfulWorkflow = core.getInput('error-on-no-successful-workflow');
-const lastSuccessfulEvent = core.getInput('last-successful-event');
-const workingDirectory = core.getInput('working-directory');
-const workflowId = core.getInput('workflow-id');
+process.env.GITHUB_TOKEN = process.argv[2];
+const mainBranchName = process.argv[3];
+const errorOnNoSuccessfulWorkflow = process.argv[4];
+const lastSuccessfulEvent = process.argv[5];
+const workingDirectory = process.argv[6];
+const workflowId = process.argv[7];
 const defaultWorkingDirectory = '.';
 
 let BASE_SHA;
@@ -62811,15 +62812,15 @@ let BASE_SHA;
     if (existsSync(workingDirectory)) {
       process.chdir(workingDirectory);
     } else {
-      core.warning('\n');
-      core.warning(`WARNING: Working directory '${workingDirectory}' doesn't exist.\n`);
+      process.stdout.write('\n');
+      process.stdout.write(`WARNING: Working directory '${workingDirectory}' doesn't exist.\n`);
     }
   }
 
   const HEAD_SHA = execSync(`git rev-parse HEAD`, { encoding: 'utf-8' });
 
   if (eventName === 'pull_request') {
-    BASE_SHA = execSync(`git merge-base origin/"${mainBranchName}" HEAD`, { encoding: 'utf-8' });
+    BASE_SHA = execSync(`git merge-base origin/${mainBranchName} HEAD`, { encoding: 'utf-8' });
   } else {
     try {
       BASE_SHA = await findSuccessfulCommit(workflowId, runId, owner, repo, mainBranchName, lastSuccessfulEvent);
@@ -62833,19 +62834,19 @@ let BASE_SHA;
         reportFailure(mainBranchName);
         return;
       } else {
-        core.warning('\n');
-        core.warning(`WARNING: Unable to find a successful workflow run on 'origin/${mainBranchName}'\n`);
-        core.warning(`We are therefore defaulting to use HEAD~1 on 'origin/${mainBranchName}'\n`);
-        core.warning('\n');
-        core.warning(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);
+        process.stdout.write('\n');
+        process.stdout.write(`WARNING: Unable to find a successful workflow run on 'origin/${mainBranchName}'\n`);
+        process.stdout.write(`We are therefore defaulting to use HEAD~1 on 'origin/${mainBranchName}'\n`);
+        process.stdout.write('\n');
+        process.stdout.write(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);
 
         BASE_SHA = execSync(`git rev-parse HEAD~1`, { encoding: 'utf-8' });
         core.setOutput('noPreviousBuild', 'true');
       }
     } else {
-      core.info('\n');
-      core.info(`Found the last successful workflow run on 'origin/${mainBranchName}'\n`);
-      core.info(`Commit: ${BASE_SHA}\n`);
+      process.stdout.write('\n');
+      process.stdout.write(`Found the last successful workflow run on 'origin/${mainBranchName}'\n`);
+      process.stdout.write(`Commit: ${BASE_SHA}\n`);
     }
   }
 
@@ -62882,8 +62883,8 @@ async function findSuccessfulCommit(workflow_id, run_id, owner, repo, branch, la
       branch,
       run_id
     }).then(({ data: { workflow_id } }) => workflow_id);
-    core.info('\n');
-    core.info(`Workflow Id not provided. Using workflow '${workflow_id}'\n`);
+    process.stdout.write('\n');
+    process.stdout.write(`Workflow Id not provided. Using workflow '${workflow_id}'\n`);
   }
   // fetch all workflow runs on a given repo/branch/workflow with push and success
   const shas = await octokit.request(`GET /repos/${owner}/${repo}/actions/workflows/${workflow_id}/runs`, {

diff --git a/find-successful-workflow.js b/find-successful-workflow.js
@@ -5,11 +5,12 @@ const { execSync } = require('child_process');
 const { existsSync } = require('fs');
 
 const { runId, repo: { repo, owner }, eventName } = github.context;
-const mainBranchName = core.getInput('main-branch-name');
-const errorOnNoSuccessfulWorkflow = core.getInput('error-on-no-successful-workflow');
-const lastSuccessfulEvent = core.getInput('last-successful-event');
-const workingDirectory = core.getInput('working-directory');
-const workflowId = core.getInput('workflow-id');
+process.env.GITHUB_TOKEN = process.argv[2];
+const mainBranchName = process.argv[3];
+const errorOnNoSuccessfulWorkflow = process.argv[4];
+const lastSuccessfulEvent = process.argv[5];
+const workingDirectory = process.argv[6];
+const workflowId = process.argv[7];
 const defaultWorkingDirectory = '.';
 
 let BASE_SHA;
@@ -18,15 +19,15 @@ let BASE_SHA;
     if (existsSync(workingDirectory)) {
       process.chdir(workingDirectory);
     } else {
-      core.warning('\n');
-      core.warning(`WARNING: Working directory '${workingDirectory}' doesn't exist.\n`);
+      process.stdout.write('\n');
+      process.stdout.write(`WARNING: Working directory '${workingDirectory}' doesn't exist.\n`);
     }
   }
 
   const HEAD_SHA = execSync(`git rev-parse HEAD`, { encoding: 'utf-8' });
 
   if (eventName === 'pull_request') {
-    BASE_SHA = execSync(`git merge-base origin/"${mainBranchName}" HEAD`, { encoding: 'utf-8' });
+    BASE_SHA = execSync(`git merge-base origin/${mainBranchName} HEAD`, { encoding: 'utf-8' });
   } else {
     try {
       BASE_SHA = await findSuccessfulCommit(workflowId, runId, owner, repo, mainBranchName, lastSuccessfulEvent);
@@ -40,19 +41,19 @@ let BASE_SHA;
         reportFailure(mainBranchName);
         return;
       } else {
-        core.warning('\n');
-        core.warning(`WARNING: Unable to find a successful workflow run on 'origin/${mainBranchName}'\n`);
-        core.warning(`We are therefore defaulting to use HEAD~1 on 'origin/${mainBranchName}'\n`);
-        core.warning('\n');
-        core.warning(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);
+        process.stdout.write('\n');
+        process.stdout.write(`WARNING: Unable to find a successful workflow run on 'origin/${mainBranchName}'\n`);
+        process.stdout.write(`We are therefore defaulting to use HEAD~1 on 'origin/${mainBranchName}'\n`);
+        process.stdout.write('\n');
+        process.stdout.write(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);
 
         BASE_SHA = execSync(`git rev-parse HEAD~1`, { encoding: 'utf-8' });
         core.setOutput('noPreviousBuild', 'true');
       }
     } else {
-      core.info('\n');
-      core.info(`Found the last successful workflow run on 'origin/${mainBranchName}'\n`);
-      core.info(`Commit: ${BASE_SHA}\n`);
+      process.stdout.write('\n');
+      process.stdout.write(`Found the last successful workflow run on 'origin/${mainBranchName}'\n`);
+      process.stdout.write(`Commit: ${BASE_SHA}\n`);
     }
   }
 
@@ -89,8 +90,8 @@ async function findSuccessfulCommit(workflow_id, run_id, owner, repo, branch, la
       branch,
       run_id
     }).then(({ data: { workflow_id } }) => workflow_id);
-    core.info('\n');
-    core.info(`Workflow Id not provided. Using workflow '${workflow_id}'\n`);
+    process.stdout.write('\n');
+    process.stdout.write(`Workflow Id not provided. Using workflow '${workflow_id}'\n`);
   }
   // fetch all workflow runs on a given repo/branch/workflow with push and success
   const shas = await octokit.request(`GET /repos/${owner}/${repo}/actions/workflows/${workflow_id}/runs`, {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "private": true,
-  "version": "2.2.6",
+  "version": "2.2.5",
   "license": "MIT",
   "description": "This package.json is here purely to control the version of the Action, in combination with https://github.com/JamesHenry/publish-shell-action",
   "scripts": {