Harden environment lookup

2026-05-16 02:08:48 +07:00 · 2026-05-16 00:07:19 +05:30
parent 27b75bd953
commit b76777ed55
3 changed files with 18 additions and 9 deletions
--- a/tests/utils.test.ts
+++ b/tests/utils.test.ts
@@ -11,6 +11,12 @@ describe('Utils tests', () => {
    expect(await utils.readEnv('TEST')).toBe('setup-php');
    expect(await utils.readEnv('test_hyphen')).toBe('setup-php');
    expect(await utils.readEnv('TEST_HYPHEN')).toBe('setup-php');
+    expect(await utils.readEnv('test invalid')).toBe('');
+    process.env['conflict_hyphen'] = 'setup-php';
+    process.env['conflict-hyphen'] = 'wrong';
+    expect(await utils.readEnv('conflict_hyphen')).toBe('setup-php');
+    delete process.env['conflict_hyphen'];
+    delete process.env['conflict-hyphen'];
    expect(await utils.readEnv('undefined')).toBe('');
  });

--- a/dist/index.js
+++ b/dist/index.js
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -9,16 +9,19 @@ import * as fetch from './fetch';
 * @param property
 */
 export async function readEnv(property: string): Promise<string> {
+  if (!/^[A-Za-z0-9_-]+$/.test(property)) {
+    return '';
+  }
  const property_lc: string = property.toLowerCase();
  const property_uc: string = property.toUpperCase();
-  return (
-    process.env[property] ||
-    process.env[property_lc] ||
-    process.env[property_uc] ||
-    process.env[property_lc.replace('_', '-')] ||
-    process.env[property_uc.replace('_', '-')] ||
-    ''
-  );
+  const candidates = [
+    property,
+    property_lc,
+    property_uc,
+    property_lc.replace('_', '-'),
+    property_uc.replace('_', '-')
+  ].filter((value, index, array) => array.indexOf(value) === index);
+  return candidates.map(name => process.env[name] || '').find(Boolean) || '';
 }

 /**