Fix command injection vulnerability in autoTestPR (#2244)

Fixes a command injection vulnerability with the auto test PR GitHub Workflow. See https://securitylab.github.com/research/github-actions-untrusted-input Also removes the unecessary `&& github.event_name != 'pull_request'` condition from the autoTestPR job because it will always be satisfied. (This workflow only triggers upon issue_comment, so `github.event_name` will never be 'pull_request')
adoptium · Feb 9, 2021 · 1cc3a47 · 1cc3a47
1 parent 2227228
commit 1cc3a47
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/.github/workflows/autoTestPR.yml b/.github/workflows/autoTestPR.yml
@@ -5,7 +5,7 @@ on:
 jobs:
   autoTestPR:
     runs-on: ubuntu-latest
-    if: startsWith(github.event.comment.body, 'auto exclude test') && github.event_name != 'pull_request'
+    if: startsWith(github.event.comment.body, 'auto exclude test')
     steps:
       - name: Set up Python 3.8
         uses: actions/setup-python@v2
@@ -28,9 +28,11 @@ jobs:
           ref: 'master'
           path: 'TKG'
       - name: run script
+        env:
+          comment_body: ${{ github.event.comment.body }}
         run: |
           git config --list
-          python TKG/scripts/testBot/disable.py -m "${{ github.event.comment.body }}" -c "${{ github.event.comment.html_url }}" -d "$GITHUB_WORKSPACE/tests"
+          python TKG/scripts/testBot/disable.py -m "$comment_body" -c "${{ github.event.comment.html_url }}" -d "$GITHUB_WORKSPACE/tests"
       - name: test cannot be found
         if: failure()
         run: |
@@ -48,4 +50,4 @@ jobs:
             - related: ${{ github.event.comment.html_url }}
           branch: 'autoTestPR'
           branch-suffix: 'random'
-          signoff: 'true'
+          signoff: 'true'