Merge pull request #11 from 1Password/eddy/fix-injection

edif2008 · web-flow · commit d50df7cd6d7c · 2022-05-18T17:42:36.000+02:00
Improve the way input is processed to avoid command injection
diff --git a/action.yml b/action.yml
@@ -10,8 +10,9 @@ inputs:
     default: false
 runs:
   using: composite
-  steps: 
-    - run: |
-        export INPUT_UNSET_PREVIOUS=${{ inputs.unset-previous }}
+  steps:
+    - shell: bash
+      env:
+        INPUT_UNSET_PREVIOUS: ${{ inputs.unset-previous }}
+      run: |
         ${{ github.action_path }}/entrypoint.sh
-      shell: bash
diff --git a/configure/action.yml b/configure/action.yml
@@ -8,9 +8,10 @@ inputs:
     description: Token to authenticate to your 1Password Connect instance
 runs:
   using: composite
-  steps: 
-    - run: |
-        export INPUT_CONNECT_HOST=${{ inputs.connect-host }}
-        export INPUT_CONNECT_TOKEN=${{ inputs.connect-token }}
+  steps:
+    - shell: bash
+      env:
+        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
+        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
+      run: |
         ${{ github.action_path }}/entrypoint.sh
-      shell: bash
