prevent command substitution via uses (#27)

jenseng · web-flow · commit 1ff8da5708ed · 2025-12-10T14:26:04.000-07:00
ideally you would never build a `uses` using untrusted input, but better
safe than sorry 😅
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -48,4 +48,26 @@ jobs:
       - uses: ./.github/actions/assert-equal
         with:
           expected: 🙊
-          actual: ${{ fromJSON(steps.no-inputs.outputs.outputs).echo }}
+          actual: ${{ fromJSON(steps.no-inputs.outputs.outputs).echo }}
+  test-invalid-inputs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: attempt command substitution via uses
+        id: command-substitution
+        uses: ./.
+        with:
+          uses: ./.github/actions/echo$(echo secret>ohno.txt)
+        continue-on-error: true
+      - uses: ./.github/actions/assert-equal
+        with:
+          expected: failure
+          actual: ${{ steps.command-substitution.outcome }}
+      - id: verify-command-didnt-run
+        shell: bash
+        run: |
+          if [ -f ohno.txt ]; then
+            echo "::error::Expected command substitution not to happen"
+            exit 1
+          fi
diff --git a/action.yml b/action.yml
@@ -19,6 +19,7 @@ runs:
     - name: Setup
       shell: bash
       env:
+        uses: ${{ inputs.uses }}
         with: ${{ inputs.with }}
       run: |
         mkdir -p ./.tmp-dynamic-uses &&
@@ -33,7 +34,7 @@ runs:
             shell: bash
           - name: Run
             id: run
-            uses: ${{ toJSON(inputs.uses) }}
+            uses: '$(echo "$uses" | sed "s/'/''/g")'
             with:
         $(echo "$with" | sed 's/^/      /')
         DYNAMIC_USES_EOF
