Skip to content

Commit 704531e

Browse files
tastybentoclaude
andcommitted
Fix GitHub Actions security findings in e2e workflow
- S7630 (BLOCKER, script injection): bind inputs.test_names to a TEST_NAMES env var and reference it as a quoted shell variable instead of interpolating ${{ inputs.* }} directly into the run block. - S7637 (MAJOR, unpinned action): pin gradle/actions/setup-gradle to the v4.4.4 commit SHA. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NKxodNE4h3TsSHMqDEeC8v
1 parent b58147b commit 704531e

1 file changed

Lines changed: 8 additions & 5 deletions

File tree

.github/workflows/e2e.yml

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838
node-version: 20
3939

4040
- name: Set up Gradle (with caching)
41-
uses: gradle/actions/setup-gradle@v4
41+
uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4
4242

4343
# Reuse the Paper jar + downloaded libraries and the BentoBox/BSkyBlock jars across runs.
4444
# plugwright's clean step preserves server.jar / cache / libraries, and build.gradle.kts
@@ -66,12 +66,15 @@ jobs:
6666
working-directory: e2e
6767
env:
6868
PLUGWRIGHT_DEBUG: "1"
69+
# Bind the user-controlled input to an env var and reference it as a shell variable
70+
# below — never interpolate ${{ inputs.* }} directly into a run block (script injection).
71+
TEST_NAMES: ${{ inputs.test_names }}
6972
run: |
70-
ARGS=""
71-
if [ -n "${{ inputs.test_names }}" ]; then
72-
ARGS="-PtestNames=${{ inputs.test_names }}"
73+
if [ -n "$TEST_NAMES" ]; then
74+
./gradlew plugwrightTest "-PtestNames=$TEST_NAMES" --no-daemon
75+
else
76+
./gradlew plugwrightTest --no-daemon
7377
fi
74-
./gradlew plugwrightTest $ARGS --no-daemon
7578
7679
# Always upload the server log + any plugwright report so a regression is debuggable.
7780
- name: Upload server log & report

0 commit comments

Comments
 (0)