actions/toolkit
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/actions/toolkit synced 2026-04-06 22:53:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Strip INPUT_* env variables from subprocesses

Browse Source
This commit is contained in:
Luke Tomlinson
2021-05-05 16:32:13 -04:00
parent 3491e2eeea
commit fad1bf5141
3 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/exec/src/interfaces.ts
View File

@@ -6,7 +6,7 @@ export interface ExecOptions {
/** optional working directory. defaults to current */
cwd?: string
/** optional envvar dictionary. defaults to current process's env */
/** optional envvar dictionary. defaults to current process's env with `INPUT_*` variables removed */
env?: {[key: string]: string}
/** optional. defaults to false */

12
packages/exec/src/toolrunner.ts
View File

@@ -377,7 +377,7 @@ export class ToolRunner extends events.EventEmitter {
options = options || <im.ExecOptions>{}
const result = <child.SpawnOptions>{}
result.cwd = options.cwd
result.env = options.env
result.env = options.env || stripInputEnvironmentVariables(process.env)
result['windowsVerbatimArguments'] =
options.windowsVerbatimArguments || this._isCmdFile()
if (options.windowsVerbatimArguments) {
@@ -600,6 +600,16 @@ export function argStringToArray(argString: string): string[] {
return args
}
// Strips INPUT_ environment variables to prevent them leaking to child processes
export function stripInputEnvironmentVariables(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv {
return Object.entries(env).filter(([key, value]) => {
return !key.startsWith('INPUT_')
}).reduce((obj: NodeJS.ProcessEnv, [key, value]) => {
obj[key] = value
return obj
}, {})
}
class ExecState extends events.EventEmitter {
constructor(options: im.ExecOptions, toolPath: string) {
super()