Merge pull request #11 from 1Password/eddy/fix-injection

Improve the way input is processed to avoid command injection
1Password · May 18, 2022 · d50df7c · d50df7c
2 parents e28960d + a5debe1
commit d50df7c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/action.yml b/action.yml
@@ -10,8 +10,9 @@ inputs:
     default: false
 runs:
   using: composite
-  steps: 
-    - run: |
-        export INPUT_UNSET_PREVIOUS=${{ inputs.unset-previous }}
+  steps:
+    - shell: bash
+      env:
+        INPUT_UNSET_PREVIOUS: ${{ inputs.unset-previous }}
+      run: |
         ${{ github.action_path }}/entrypoint.sh
-      shell: bash
diff --git a/configure/action.yml b/configure/action.yml
@@ -8,9 +8,10 @@ inputs:
     description: Token to authenticate to your 1Password Connect instance
 runs:
   using: composite
-  steps: 
-    - run: |
-        export INPUT_CONNECT_HOST=${{ inputs.connect-host }}
-        export INPUT_CONNECT_TOKEN=${{ inputs.connect-token }}
+  steps:
+    - shell: bash
+      env:
+        INPUT_CONNECT_HOST: ${{ inputs.connect-host }}
+        INPUT_CONNECT_TOKEN: ${{ inputs.connect-token }}
+      run: |
         ${{ github.action_path }}/entrypoint.sh
-      shell: bash