From 4b9d3daa29ea98e3d64d2f407cbb128287854011 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Borgna?=
 <121866228+aborgna-q@users.noreply.github.com>
Date: Thu, 2 May 2024 12:53:45 +0100
Subject: [PATCH] ci(pr-title): Escape variables used in bash scripts (#992)

Don't insert github expressions directly in the bash script.
- It breaks if there are [backticks] or [quotes] inside the variable.
- It's a security issue, it allows arbitrary code injections from the PR
description.

The solution is to put them into env variables first.
---
 .github/workflows/pr-title.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 30cb6dfa4..3cd9a8b4a 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -87,7 +87,7 @@ jobs:
       - name: Check for breaking change flag
         id: breaking
         run: |
-          if [[ "${{ github.event.pull_request.title }}" =~ ^.*\!:.*$ ]]; then
+          if [[ "${PR_TITLE}" =~ ^.*\!:.*$ ]]; then
             echo "breaking=true" >> $GITHUB_OUTPUT
           else
             echo "breaking=false" >> $GITHUB_OUTPUT
@@ -95,11 +95,14 @@ jobs:
 
           # Check if the PR comment has a "BREAKING CHANGE:" footer describing
           # the breaking change.
-          if [[ "${{ github.event.pull_request.body }}" != *"BREAKING CHANGE:"* ]]; then
+          if [[ "${PR_BODY}" != *"BREAKING CHANGE:"* ]]; then
             echo "has_breaking_footer=false" >> $GITHUB_OUTPUT
           else
             echo "has_breaking_footer=true" >> $GITHUB_OUTPUT
           fi
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
 
       # Post a help comment if the PR title indicates a breaking change but does
       # not contain a "BREAKING CHANGE:" footer.