mirror of
https://github.com/actions/checkout.git
synced 2026-07-16 16:45:51 +00:00
Compare commits
1 Commits
main
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
e389253e4d |
@@ -24,20 +24,9 @@ const mockGithubContext: any = {
|
|||||||
payload: {}
|
payload: {}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Replicate @actions/core getInput behavior: it trims whitespace by default
|
|
||||||
// (String.prototype.trim(), which strips characters such as a leading U+FEFF BOM)
|
|
||||||
// unless trimWhitespace is explicitly set to false.
|
|
||||||
const getInputImpl = (name: string, options?: {trimWhitespace?: boolean}) => {
|
|
||||||
const val = inputs[name] ?? ''
|
|
||||||
if (options && options.trimWhitespace === false) {
|
|
||||||
return val
|
|
||||||
}
|
|
||||||
return typeof val === 'string' ? val.trim() : val
|
|
||||||
}
|
|
||||||
|
|
||||||
// Mock @actions/core before loading input-helper
|
// Mock @actions/core before loading input-helper
|
||||||
jest.unstable_mockModule('@actions/core', () => ({
|
jest.unstable_mockModule('@actions/core', () => ({
|
||||||
getInput: jest.fn(getInputImpl),
|
getInput: jest.fn((name: string) => inputs[name]),
|
||||||
getBooleanInput: jest.fn((name: string) => inputs[name]),
|
getBooleanInput: jest.fn((name: string) => inputs[name]),
|
||||||
getMultilineInput: jest.fn((name: string) =>
|
getMultilineInput: jest.fn((name: string) =>
|
||||||
inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
|
inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
|
||||||
@@ -87,7 +76,9 @@ describe('input-helper tests', () => {
|
|||||||
inputs = {}
|
inputs = {}
|
||||||
jest.clearAllMocks()
|
jest.clearAllMocks()
|
||||||
// Re-apply default mocks
|
// Re-apply default mocks
|
||||||
;(core.getInput as jest.Mock<any>).mockImplementation(getInputImpl as any)
|
;(core.getInput as jest.Mock<any>).mockImplementation(
|
||||||
|
(name: string) => inputs[name]
|
||||||
|
)
|
||||||
mockDirectoryExistsSync.mockImplementation(
|
mockDirectoryExistsSync.mockImplementation(
|
||||||
(p: string) => p === gitHubWorkspace
|
(p: string) => p === gitHubWorkspace
|
||||||
)
|
)
|
||||||
@@ -185,84 +176,8 @@ describe('input-helper tests', () => {
|
|||||||
expect(settings.commit).toBeFalsy()
|
expect(settings.commit).toBeFalsy()
|
||||||
})
|
})
|
||||||
|
|
||||||
it('does not reclassify a ref as sha when a BOM is prefixed', async () => {
|
|
||||||
// A fork branch named "<U+FEFF>" + 40 hex chars. core.getInput trims the
|
|
||||||
// BOM by default, which previously collapsed this into a bare SHA and
|
|
||||||
// bypassed the unsafe fork PR checkout guard.
|
|
||||||
inputs.ref = '\uFEFF522d932fae5296da51fdf431934425ecf891c6a2'
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.commit).toBeFalsy()
|
|
||||||
expect(settings.ref).toBe('522d932fae5296da51fdf431934425ecf891c6a2')
|
|
||||||
})
|
|
||||||
|
|
||||||
it('does not reclassify a sha-256 ref as sha when a BOM is prefixed', async () => {
|
|
||||||
inputs.ref =
|
|
||||||
'\uFEFF1111111111222222222233333333334444444444555555555566666666667777'
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.commit).toBeFalsy()
|
|
||||||
expect(settings.ref).toBe(
|
|
||||||
'1111111111222222222233333333334444444444555555555566666666667777'
|
|
||||||
)
|
|
||||||
})
|
|
||||||
|
|
||||||
it('treats a sha surrounded by ascii whitespace as a commit', async () => {
|
|
||||||
// ASCII whitespace can only come from the workflow author's YAML (git ref
|
|
||||||
// names cannot contain it), so trimming it and treating the value as a
|
|
||||||
// commit is safe.
|
|
||||||
inputs.ref = ' 1111111111222222222233333333334444444444 '
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.ref).toBeFalsy()
|
|
||||||
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
|
|
||||||
})
|
|
||||||
|
|
||||||
it('sets workflow organization ID', async () => {
|
it('sets workflow organization ID', async () => {
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
expect(settings.workflowOrganizationId).toBe(123456)
|
expect(settings.workflowOrganizationId).toBe(123456)
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('unsafe PR checkout guard', () => {
|
|
||||||
const forkPayload = {
|
|
||||||
repository: {id: 100},
|
|
||||||
pull_request: {
|
|
||||||
head: {
|
|
||||||
sha: '1234567890123456789012345678901234567890',
|
|
||||||
repo: {id: 200, full_name: 'attacker/fork'}
|
|
||||||
},
|
|
||||||
merge_commit_sha: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
|
||||||
const originalEvent = mockGithubContext.eventName
|
|
||||||
const originalPayload = mockGithubContext.payload
|
|
||||||
try {
|
|
||||||
mockGithubContext.eventName = 'pull_request_target'
|
|
||||||
mockGithubContext.payload = forkPayload
|
|
||||||
// Simulate a rebase/fast-forward merge where the base tip (event SHA)
|
|
||||||
// equals the PR head SHA. The default self-checkout must still succeed.
|
|
||||||
mockGithubContext.sha = '1234567890123456789012345678901234567890'
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
|
||||||
} finally {
|
|
||||||
mockGithubContext.eventName = originalEvent
|
|
||||||
mockGithubContext.payload = originalPayload
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
it('refuses an explicit fork repository on pull_request_target', async () => {
|
|
||||||
const originalEvent = mockGithubContext.eventName
|
|
||||||
const originalPayload = mockGithubContext.payload
|
|
||||||
try {
|
|
||||||
mockGithubContext.eventName = 'pull_request_target'
|
|
||||||
mockGithubContext.payload = forkPayload
|
|
||||||
inputs.repository = 'attacker/fork'
|
|
||||||
await expect(inputHelper.getInputs()).rejects.toThrow(
|
|
||||||
/Refusing to check out fork pull request code/
|
|
||||||
)
|
|
||||||
} finally {
|
|
||||||
mockGithubContext.eventName = originalEvent
|
|
||||||
mockGithubContext.payload = originalPayload
|
|
||||||
}
|
|
||||||
})
|
|
||||||
})
|
|
||||||
})
|
})
|
||||||
|
|||||||
39
dist/index.js
vendored
39
dist/index.js
vendored
@@ -42100,22 +42100,6 @@ async function getInputs() {
|
|||||||
`${github_context.repo.owner}/${github_context.repo.repo}`.toUpperCase();
|
`${github_context.repo.owner}/${github_context.repo.repo}`.toUpperCase();
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = getInput('ref');
|
result.ref = getInput('ref');
|
||||||
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
|
||||||
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
|
||||||
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
|
||||||
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
|
||||||
// guard.
|
|
||||||
//
|
|
||||||
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
|
||||||
// in a git branch name.
|
|
||||||
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
|
||||||
// \n U+000A line feed - ASCII control, forbidden in ref names
|
|
||||||
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
|
||||||
// \f U+000C form feed - ASCII control, forbidden in ref names
|
|
||||||
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
|
||||||
// ' ' U+0020 space - forbidden in ref names
|
|
||||||
const asciiTrimmedRef = getInput('ref', { trimWhitespace: false })
|
|
||||||
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '');
|
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github_context.ref;
|
result.ref = github_context.ref;
|
||||||
@@ -42128,8 +42112,8 @@ async function getInputs() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (asciiTrimmedRef.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||||
result.commit = asciiTrimmedRef;
|
result.commit = result.ref;
|
||||||
result.ref = '';
|
result.ref = '';
|
||||||
}
|
}
|
||||||
core_debug(`ref = '${result.ref}'`);
|
core_debug(`ref = '${result.ref}'`);
|
||||||
@@ -42207,19 +42191,12 @@ async function getInputs() {
|
|||||||
(getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
(getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||||
'TRUE';
|
'TRUE';
|
||||||
core_debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
core_debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||||
// The default self-checkout (this repository with no explicit ref) always
|
assertSafePrCheckout({
|
||||||
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
qualifiedRepository,
|
||||||
// the fork-checkout guard only needs to run when the caller customized the
|
ref: result.ref,
|
||||||
// repository or ref.
|
commit: result.commit,
|
||||||
const isDefaultCheckout = isWorkflowRepository && !getInput('ref');
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
if (!isDefaultCheckout) {
|
});
|
||||||
assertSafePrCheckout({
|
|
||||||
qualifiedRepository,
|
|
||||||
ref: result.ref,
|
|
||||||
commit: result.commit,
|
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
|
||||||
});
|
|
||||||
}
|
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
77
package-lock.json
generated
77
package-lock.json
generated
@@ -20,13 +20,13 @@
|
|||||||
"@types/node": "^24.1.0",
|
"@types/node": "^24.1.0",
|
||||||
"@typescript-eslint/eslint-plugin": "^8.54.0",
|
"@typescript-eslint/eslint-plugin": "^8.54.0",
|
||||||
"@typescript-eslint/parser": "^8.54.0",
|
"@typescript-eslint/parser": "^8.54.0",
|
||||||
"@vercel/ncc": "^0.44.0",
|
"@vercel/ncc": "^0.44.1",
|
||||||
"eslint": "^9.39.2",
|
"eslint": "^9.39.2",
|
||||||
"eslint-plugin-github": "^6.0.0",
|
"eslint-plugin-github": "^6.1.1",
|
||||||
"eslint-plugin-jest": "^29.12.1",
|
"eslint-plugin-jest": "^29.12.1",
|
||||||
"jest": "^29.7.0",
|
"jest": "^29.7.0",
|
||||||
"js-yaml": "^4.2.0",
|
"js-yaml": "^4.2.0",
|
||||||
"prettier": "^3.8.4",
|
"prettier": "^3.9.5",
|
||||||
"ts-jest": "^29.4.11",
|
"ts-jest": "^29.4.11",
|
||||||
"ts-node": "^10.9.2",
|
"ts-node": "^10.9.2",
|
||||||
"typescript": "^5.5.4"
|
"typescript": "^5.5.4"
|
||||||
@@ -680,19 +680,19 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@eslint/compat": {
|
"node_modules/@eslint/compat": {
|
||||||
"version": "1.4.1",
|
"version": "2.1.0",
|
||||||
"resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-1.4.1.tgz",
|
"resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.1.0.tgz",
|
||||||
"integrity": "sha512-cfO82V9zxxGBxcQDr1lfaYB7wykTa0b00mGa36FrJl7iTFd0Z2cHfEYuxcBRP/iNijCsWsEkA+jzT8hGYmv33w==",
|
"integrity": "sha512-LgaSCymEpw7tF53xvDw9SNsraPb1IBHxpdABIOM0hW8UAlP8znrjYtuxfR58FSJ3L9BhwD+FaPRFQpZq84Nh6g==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "Apache-2.0",
|
"license": "Apache-2.0",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@eslint/core": "^0.17.0"
|
"@eslint/core": "^1.2.1"
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
|
"node": "^20.19.0 || ^22.13.0 || >=24"
|
||||||
},
|
},
|
||||||
"peerDependencies": {
|
"peerDependencies": {
|
||||||
"eslint": "^8.40 || 9"
|
"eslint": "^8.40 || 9 || 10"
|
||||||
},
|
},
|
||||||
"peerDependenciesMeta": {
|
"peerDependenciesMeta": {
|
||||||
"eslint": {
|
"eslint": {
|
||||||
@@ -700,6 +700,19 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"node_modules/@eslint/compat/node_modules/@eslint/core": {
|
||||||
|
"version": "1.2.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.2.1.tgz",
|
||||||
|
"integrity": "sha512-MwcE1P+AZ4C6DWlpin/OmOA54mmIZ/+xZuJiQd4SyB29oAJjN30UW9wkKNptW2ctp4cEsvhlLY/CsQ1uoHDloQ==",
|
||||||
|
"dev": true,
|
||||||
|
"license": "Apache-2.0",
|
||||||
|
"dependencies": {
|
||||||
|
"@types/json-schema": "^7.0.15"
|
||||||
|
},
|
||||||
|
"engines": {
|
||||||
|
"node": "^20.19.0 || ^22.13.0 || >=24"
|
||||||
|
}
|
||||||
|
},
|
||||||
"node_modules/@eslint/config-array": {
|
"node_modules/@eslint/config-array": {
|
||||||
"version": "0.21.2",
|
"version": "0.21.2",
|
||||||
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
|
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz",
|
||||||
@@ -1986,9 +1999,9 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@vercel/ncc": {
|
"node_modules/@vercel/ncc": {
|
||||||
"version": "0.44.0",
|
"version": "0.44.1",
|
||||||
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.44.0.tgz",
|
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.44.1.tgz",
|
||||||
"integrity": "sha512-pHyI+bZokSgIscTKFSmpNk5vZzmOrb9RW0Vu4SRyqUvkJ0kgg3PzaZLLDVTFXhbUiCqg0/Eu8L4fKtgViA92kg==",
|
"integrity": "sha512-cUjIE5P2YY1n+Kt9rFIazMMpGoPn1Fic04rOmTkElMkiDP5oszGfERMpo2shVkFKDL7rVppdM2pqJKC59shQWQ==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"bin": {
|
"bin": {
|
||||||
@@ -3410,13 +3423,13 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/eslint-plugin-github": {
|
"node_modules/eslint-plugin-github": {
|
||||||
"version": "6.0.0",
|
"version": "6.1.1",
|
||||||
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-6.0.0.tgz",
|
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-6.1.1.tgz",
|
||||||
"integrity": "sha512-J8MvUoiR/TU/Y9NnEmg1AnbvMUj9R6IO260z47zymMLLvso7B4c80IKjd8diqmqtSmeXXlbIus4i0SvK84flag==",
|
"integrity": "sha512-xCqu1S/s/CCvoRLafaXNvwiVrxhroNOFLGyG9Dhi4i1PWZgPHlipjXysH6wccPFQyhSKE7gAjSLqdSdM204bZQ==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@eslint/compat": "^1.2.3",
|
"@eslint/compat": "^2.0.0",
|
||||||
"@eslint/eslintrc": "^3.1.0",
|
"@eslint/eslintrc": "^3.1.0",
|
||||||
"@eslint/js": "^9.14.0",
|
"@eslint/js": "^9.14.0",
|
||||||
"@github/browserslist-config": "^1.0.0",
|
"@github/browserslist-config": "^1.0.0",
|
||||||
@@ -3433,24 +3446,24 @@
|
|||||||
"eslint-plugin-no-only-tests": "^3.0.0",
|
"eslint-plugin-no-only-tests": "^3.0.0",
|
||||||
"eslint-plugin-prettier": "^5.2.1",
|
"eslint-plugin-prettier": "^5.2.1",
|
||||||
"eslint-rule-documentation": ">=1.0.0",
|
"eslint-rule-documentation": ">=1.0.0",
|
||||||
"globals": "^16.0.0",
|
"globals": "^17.7.0",
|
||||||
"jsx-ast-utils": "^3.3.2",
|
"jsx-ast-utils": "^3.3.2",
|
||||||
"prettier": "^3.0.0",
|
"prettier": "^3.0.0",
|
||||||
"svg-element-attributes": "^1.3.1",
|
"svg-element-attributes": "^1.3.1",
|
||||||
"typescript": "^5.7.3",
|
"typescript": "^6.0.3",
|
||||||
"typescript-eslint": "^8.14.0"
|
"typescript-eslint": "^8.14.0"
|
||||||
},
|
},
|
||||||
"bin": {
|
"bin": {
|
||||||
"eslint-ignore-errors": "bin/eslint-ignore-errors.js"
|
"eslint-ignore-errors": "bin/eslint-ignore-errors.js"
|
||||||
},
|
},
|
||||||
"peerDependencies": {
|
"peerDependencies": {
|
||||||
"eslint": "^8 || ^9"
|
"eslint": "^8 || ^9 || ^10"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/eslint-plugin-github/node_modules/globals": {
|
"node_modules/eslint-plugin-github/node_modules/globals": {
|
||||||
"version": "16.5.0",
|
"version": "17.7.0",
|
||||||
"resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
|
"resolved": "https://registry.npmjs.org/globals/-/globals-17.7.0.tgz",
|
||||||
"integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
|
"integrity": "sha512-Czmyns5dUsq4seFBR/Kdydhmo8y9kC79hiSkPn0YcGtNnYWnrgt0vjrSjx9tspoDGWm2CMarffRuLjM4xUz8xg==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"engines": {
|
"engines": {
|
||||||
@@ -3460,6 +3473,20 @@
|
|||||||
"url": "https://github.com/sponsors/sindresorhus"
|
"url": "https://github.com/sponsors/sindresorhus"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"node_modules/eslint-plugin-github/node_modules/typescript": {
|
||||||
|
"version": "6.0.3",
|
||||||
|
"resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
|
||||||
|
"integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
|
||||||
|
"dev": true,
|
||||||
|
"license": "Apache-2.0",
|
||||||
|
"bin": {
|
||||||
|
"tsc": "bin/tsc",
|
||||||
|
"tsserver": "bin/tsserver"
|
||||||
|
},
|
||||||
|
"engines": {
|
||||||
|
"node": ">=14.17"
|
||||||
|
}
|
||||||
|
},
|
||||||
"node_modules/eslint-plugin-i18n-text": {
|
"node_modules/eslint-plugin-i18n-text": {
|
||||||
"version": "1.0.1",
|
"version": "1.0.1",
|
||||||
"resolved": "https://registry.npmjs.org/eslint-plugin-i18n-text/-/eslint-plugin-i18n-text-1.0.1.tgz",
|
"resolved": "https://registry.npmjs.org/eslint-plugin-i18n-text/-/eslint-plugin-i18n-text-1.0.1.tgz",
|
||||||
@@ -6443,9 +6470,9 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/prettier": {
|
"node_modules/prettier": {
|
||||||
"version": "3.8.4",
|
"version": "3.9.5",
|
||||||
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.4.tgz",
|
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.9.5.tgz",
|
||||||
"integrity": "sha512-N2MylSdi48+5N/6S5j+maeHbUSIzzZ5uOcX5Hm4QpV8Dkb1HFjfAKTKX6yNPJQD9AhcT3ifHNB66tWTTJDi11Q==",
|
"integrity": "sha512-/FVl766LpUfB5vXgCYOYa0MeV/441Ia99AeICQIQFTY/Nw0roZwULcXpku5i1/m5kt/baz+s4Zogspd839HSMg==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"bin": {
|
"bin": {
|
||||||
|
|||||||
@@ -43,13 +43,13 @@
|
|||||||
"@types/node": "^24.1.0",
|
"@types/node": "^24.1.0",
|
||||||
"@typescript-eslint/eslint-plugin": "^8.54.0",
|
"@typescript-eslint/eslint-plugin": "^8.54.0",
|
||||||
"@typescript-eslint/parser": "^8.54.0",
|
"@typescript-eslint/parser": "^8.54.0",
|
||||||
"@vercel/ncc": "^0.44.0",
|
"@vercel/ncc": "^0.44.1",
|
||||||
"eslint": "^9.39.2",
|
"eslint": "^9.39.2",
|
||||||
"eslint-plugin-github": "^6.0.0",
|
"eslint-plugin-github": "^6.1.1",
|
||||||
"eslint-plugin-jest": "^29.12.1",
|
"eslint-plugin-jest": "^29.12.1",
|
||||||
"jest": "^29.7.0",
|
"jest": "^29.7.0",
|
||||||
"js-yaml": "^4.2.0",
|
"js-yaml": "^4.2.0",
|
||||||
"prettier": "^3.8.4",
|
"prettier": "^3.9.5",
|
||||||
"ts-jest": "^29.4.11",
|
"ts-jest": "^29.4.11",
|
||||||
"ts-node": "^10.9.2",
|
"ts-node": "^10.9.2",
|
||||||
"typescript": "^5.5.4"
|
"typescript": "^5.5.4"
|
||||||
|
|||||||
@@ -59,23 +59,6 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
|
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref')
|
result.ref = core.getInput('ref')
|
||||||
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
|
||||||
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
|
||||||
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
|
||||||
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
|
||||||
// guard.
|
|
||||||
//
|
|
||||||
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
|
||||||
// in a git branch name.
|
|
||||||
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
|
||||||
// \n U+000A line feed - ASCII control, forbidden in ref names
|
|
||||||
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
|
||||||
// \f U+000C form feed - ASCII control, forbidden in ref names
|
|
||||||
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
|
||||||
// ' ' U+0020 space - forbidden in ref names
|
|
||||||
const asciiTrimmedRef = core
|
|
||||||
.getInput('ref', {trimWhitespace: false})
|
|
||||||
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '')
|
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref
|
result.ref = github.context.ref
|
||||||
@@ -89,8 +72,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (asciiTrimmedRef.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||||
result.commit = asciiTrimmedRef
|
result.commit = result.ref
|
||||||
result.ref = ''
|
result.ref = ''
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`)
|
core.debug(`ref = '${result.ref}'`)
|
||||||
@@ -185,19 +168,12 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
'TRUE'
|
'TRUE'
|
||||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||||
|
|
||||||
// The default self-checkout (this repository with no explicit ref) always
|
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||||
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
qualifiedRepository,
|
||||||
// the fork-checkout guard only needs to run when the caller customized the
|
ref: result.ref,
|
||||||
// repository or ref.
|
commit: result.commit,
|
||||||
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref')
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
if (!isDefaultCheckout) {
|
})
|
||||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
|
||||||
qualifiedRepository,
|
|
||||||
ref: result.ref,
|
|
||||||
commit: result.commit,
|
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user