From 05c6f42f7be9c218c7d65a70159e2222a8a81249 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= Date: Thu, 6 Jul 2023 09:52:50 +0200 Subject: [PATCH] fix: avoid expression injection (#4157) ## About the changes Using toJSON should escape any potentially harmful content from the username and email input --- .github/workflows/notify_enterprise.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/notify_enterprise.yaml b/.github/workflows/notify_enterprise.yaml index 7aa5abf3bf..a9355807f6 100644 --- a/.github/workflows/notify_enterprise.yaml +++ b/.github/workflows/notify_enterprise.yaml @@ -38,7 +38,7 @@ jobs: ref: 'master', inputs: { commit: "${{ github.event.head_commit.id }}", - actor: "${{ env.COMMIT_ACTOR }}", + actor: ${{ toJSON(env.COMMIT_ACTOR) }}, message: ${{ toJSON(github.event.head_commit.message) }}, } })