actions/setup-php
1
0
Fork 0
mirror of https://github.com/shivammathur/setup-php.git synced 2026-05-16 02:08:48 +07:00
Code Issues Packages Projects Releases Wiki Activity

GHSA-pqwm-q9pv-ph8r - Fix CWE-78 [skip ci]

Browse Source
This commit is contained in:
Shivam Mathur
2026-05-14 03:56:37 +05:30
parent 0dc33069a3
commit eeef37e059
8 changed files with 199 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/tools.ts
View File

@@ -231,7 +231,7 @@ export async function getVersion(
case !!data.repository && major_minor_regex.test(data.version):
return await getSemverVersion(data);
default:
return data.version.replace(/[><=^~]*/, '');
return data.version.replace(/[^a-zA-Z0-9_.:@+,/-]/g, '');
}
}
@@ -347,12 +347,9 @@ export async function addArchive(data: ToolData): Promise<string> {
export async function addPackage(data: ToolData): Promise<string> {
const command = await utils.getCommand(data.os, 'composer_tool');
const parts: string[] = data.repository.split('/');
const args: string = await utils.joins(
parts[1],
data.release,
parts[0] + '/',
data.scope
);
const args = [parts[1], data.release, parts[0] + '/', data.scope]
.map(a => utils.safeArg(a, data.os))
.join(' ');
return command + args;
}