Harden security with inputs
chungyc opened this issue · 1 comments
chungyc commented
The hlint-scan action currently does not secure its inputs. The single value inputs are no problem, because we can use environment variables to ensure they are passed as a single value. However, the multiple value inputs are.
There appears to be no way to pass in multiple values from a single input without joining them. And we can either pass the result as a single string, which breaks the semantics, or as part of the command, which is vulnerable to script injection attacks.
I'm not sure what to do about this. It's possible I may have to rewrite this as a JavaScript or Docker action if I want to harden security against inputs.