Merge pull request #107 from fish-shop/harden-action

Harden action handling of untrusted inputs
fish-shop · Aug 9, 2024 · 7a2d5ad · 7a2d5ad
2 parents 1eab61e + 80e05ee
commit 7a2d5ad
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ Add a suitable `uses` step to your GitHub [workflow](https://docs.github.com/en/
   uses: fish-shop/run-fishtape-tests@v1
 ```
 
-By default, all files under `$GITHUB_WORKSPACE` with a `.fish` file extension are recursively tested. To specify a different file pattern to match against, provide a value for the `pattern` input. For example, to check all `.fish` files starting in the `tests` directory and descending into subdirectories:
+By default, all files under `$GITHUB_WORKSPACE` with a `.fish` file extension are tested. To override the default behaviour, provide one or more space-seperated pattern values to the `patterns` input. For example, to test all `.fish` files starting in the `tests` directory and descending into subdirectories:
 
 ```yaml
 - name: Run Fishtape tests
@@ -34,7 +34,7 @@ By default, all files under `$GITHUB_WORKSPACE` with a `.fish` file extension ar
     pattern: tests/**.fish
 ```
 
-Multiple space-separated `pattern` values are supported and can include [wildcards](https://fishshell.com/docs/current/language.html#expand-wildcard) and [brace expansion](https://fishshell.com/docs/current/language.html?highlight=brace+expansion#brace-expansion):
+Each pattern value may include [wildcards](https://fishshell.com/docs/current/language.html#expand-wildcard) and/or [brace expansion](https://fishshell.com/docs/current/language.html?highlight=brace+expansion#brace-expansion):
 
 ```yaml
 - name: Run Fishtape tests

diff --git a/action.yml b/action.yml
@@ -4,33 +4,47 @@ branding:
   icon: 'check-square'
   color: 'green'
 inputs:
-  pattern:
-    description: 'File name pattern'
+  patterns:
+    description: 'File patterns to match against when running tests'
     required: false
     default: '**.fish'
   raw-output:
     description: 'Produce raw TAP output'
     required: false
     default: 'false'
-
 runs:
   using: 'composite'
   steps:
-    - uses: fish-shop/install-plugin@9b1d802d389c0226fe523ef0d214f3e50ec31087 # v2.3.1
+    - name: Install fisher
+      uses: fish-shop/install-plugin@9b1d802d389c0226fe523ef0d214f3e50ec31087 # v2.3.1
       with:
         plugin-manager: fisher
         plugins: jorgebucaran/fishtape
     - name: Install tap-diff
       run: npm install -g tap-diff
       shell: fish {0}
     - name: Run fishtape tests
+      env:
+        PATTERNS: ${{ inputs.patterns }}
+        RAW_OUTPUT: ${{ inputs.raw-output }}
       run: |
         set -gx TERM xterm-256color
         set -gx FORCE_COLOR 2
-        switch ${{ inputs.raw-output }}
+
+        set raw_output (string escape --no-quoted -- $RAW_OUTPUT)
+
+        for pattern in (string split --no-empty -- " " $PATTERNS)
+            set -l escaped (string escape --style=script --no-quoted -- $pattern)
+            set -l escaped (string replace -r -a -- '\\\([?*{}])' '$1' $escaped)
+            eval set -a files $escaped
+        end
+
+        switch $raw_output
             case true
-                fishtape ${{ inputs.pattern }}
+                fishtape $files
+            case false
+                fishtape $files | tap-diff
             case '*'
-                fishtape ${{ inputs.pattern }} | tap-diff
+                echo "Unrecognised raw output option: '$raw_output'" >&2; and exit 1
         end
       shell: fish {0}