mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-04 22:50:15 +02:00
fix(ci): prevent script injection in Portainer deployment step (#170)
Move IMAGE_TAG and SENTRY_RELEASE step outputs into env: vars so they are passed as environment variables rather than interpolated directly into the shell command string, eliminating a potential script-injection vector via a crafted tag or Sentry version value.
This commit is contained in:
@@ -243,5 +243,7 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
env:
|
env:
|
||||||
PORTAINER_WEBHOOK: ${{secrets.PORTAINER_WEBHOOK}}
|
PORTAINER_WEBHOOK: ${{secrets.PORTAINER_WEBHOOK}}
|
||||||
|
IMAGE_TAG: ${{steps.meta.outputs.tag}}
|
||||||
|
SENTRY_RELEASE: ${{steps.meta.outputs.sentry_version}}
|
||||||
run: |
|
run: |
|
||||||
curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${{steps.meta.outputs.tag}}&SENTRY_RELEASE=${{steps.meta.outputs.sentry_version}}" --fail-with-body
|
curl -v -X POST "${PORTAINER_WEBHOOK}?IMAGE_TAG=${IMAGE_TAG}&SENTRY_RELEASE=${SENTRY_RELEASE}" --fail-with-body
|
||||||
|
|||||||
Reference in New Issue
Block a user