From de1611082403aceb5d6ade6d6bb8ca70348407ac Mon Sep 17 00:00:00 2001 From: rdietrick Date: Sat, 22 Jun 2024 07:20:20 -0700 Subject: [PATCH] resolved security finding by performing safety check on regexp from env var --- node-scripts/branch-filter.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/node-scripts/branch-filter.js b/node-scripts/branch-filter.js index 2fd5d50..3995aad 100644 --- a/node-scripts/branch-filter.js +++ b/node-scripts/branch-filter.js @@ -1,9 +1,11 @@ const core = require("@actions/core"); const github = require("@actions/github"); +const lodash = require("lodash"); (function start() { try { const issuePrefix = process.env?.ISSUE_PREFIX; + const safeIssuePrefix = lodash.escapeRegExp(issuePrefix); let ref = process.env?.BRANCH_NAME; if (!ref) { ref = github.context.ref; @@ -11,7 +13,7 @@ const github = require("@actions/github"); const branchName = ref.substring(ref.lastIndexOf("/") + 1); console.log(`branchName = ${branchName}`); core.setOutput("branchName", branchName); - const re = new RegExp("^" + issuePrefix + "(\\d+)"); + const re = new RegExp("^" + safeIssuePrefix + "(\\d+)"); const prefixMatches = branchName.match(re); let matches = "false"; let issueNumber = "";