Brennan Kinney bdb770a0aa ci(fix): Do not trust user controlled input (#2337) ... The prepare workflow runs in an untrusted context already and thus should not have anything worthwhile to exploit. However care should still be taken to avoid interpolating expressions into shell scripts directly that is data a user can control the value of. Especially to avoid any maintainer referencing an existing workflow from copying a risky snippet unaware of different security contexts for workflows. In this case, as per Github Documentation and referenced issue comment, the PR title is user controllable data, which if directly interpolated into the shell script being run (as it previously was), allows for injecting commands to execute.		2021-12-21 21:46:09 +13:00
..
scripts/docs	docs(deps): bump mkdocs-material to v8.1.1 (#2324)	2021-12-14 23:10:29 +01:00
contributors.yml	Run contributors workflow monthly	2021-09-30 06:49:53 +00:00
default_on_push.yml	chore(deps): bump docker/login-action from 1.10.0 to 1.11.0 (#2335)	2021-12-20 15:57:02 +01:00
docs-preview-deploy.yml	chore(deps): bump myrotvorets/set-commit-status-action (#2167)	2021-09-05 09:22:49 +00:00
docs-preview-prepare.yml	ci(fix): Do not trust user controlled input (#2337)	2021-12-21 21:46:09 +13:00
docs-production-deploy.yml	ci(fix): Do not trust user controlled input (#2337)	2021-12-21 21:46:09 +13:00
handle_stalled.yml	Updated ShellCheck to 0.8.0 and Hadolint to 2.8.0 (#2329)	2021-12-19 11:56:22 +01:00
linting.yml	Updated ShellCheck to 0.8.0 and Hadolint to 2.8.0 (#2329)	2021-12-19 11:56:22 +01:00
scheduled_builds.yml	chore(deps): bump docker/login-action from 1.10.0 to 1.11.0 (#2335)	2021-12-20 15:57:02 +01:00
test_merge_requests.yml	chore(deps): bump actions/cache from 2.1.6 to 2.1.7 (#2309)	2021-11-29 13:16:43 +01:00