Harden environment lookup

__tests__/utils.test.ts

@@ -11,6 +11,12 @@ describe('Utils tests', () => {
     expect(await utils.readEnv('TEST')).toBe('setup-php');
     expect(await utils.readEnv('test_hyphen')).toBe('setup-php');
     expect(await utils.readEnv('TEST_HYPHEN')).toBe('setup-php');
+    expect(await utils.readEnv('test invalid')).toBe('');
+    process.env['conflict_hyphen'] = 'setup-php';
+    process.env['conflict-hyphen'] = 'wrong';
+    expect(await utils.readEnv('conflict_hyphen')).toBe('setup-php');
+    delete process.env['conflict_hyphen'];
+    delete process.env['conflict-hyphen'];
     expect(await utils.readEnv('undefined')).toBe('');
   });
 

src/utils.ts

@@ -9,16 +9,19 @@ import * as fetch from './fetch';
  * @param property
  */
 export async function readEnv(property: string): Promise<string> {
+  if (!/^[A-Za-z0-9_-]+$/.test(property)) {
+    return '';
+  }
   const property_lc: string = property.toLowerCase();
   const property_uc: string = property.toUpperCase();
-  return (
+  const candidates = [
-    process.env[property] ||
+    property,
-    process.env[property_lc] ||
+    property_lc,
-    process.env[property_uc] ||
+    property_uc,
-    process.env[property_lc.replace('_', '-')] ||
+    property_lc.replace('_', '-'),
-    process.env[property_uc.replace('_', '-')] ||
+    property_uc.replace('_', '-')
-    ''
+  ].filter((value, index, array) => array.indexOf(value) === index);
-  );
+  return candidates.map(name => process.env[name] || '').find(Boolean) || '';
 }
 
 /**