reviewed changes

Author: lucas-zimerman

danger/README.md

@@ -29,8 +29,16 @@ jobs:
   * type: string
   * required: false
   * default: `${{ github.token }}`
-  * extra-dangerfile: Path to an additional dangerfile to run custom checks.
-  * extra-install-packages: Additional packages that are required by the extra-dangerfile, you can find a list of packages here: https://packages.debian.org/search?suite=bookworm&keywords=curl.
+
+* `extra-dangerfile`: Path to an additional dangerfile to run custom checks.
+  * type: string
+  * required: false
+  * default: ""
+
+* `extra-install-packages`: Additional packages that are required by the extra-dangerfile, you can find a list of packages here: https://packages.debian.org/search?suite=bookworm&keywords=curl.
+  * type: string
+  required: false
+  default: ""
 
 ## Outputs
 
@@ -54,4 +62,18 @@ The Danger action runs the following checks:
 - **Conventional commits**: Validates commit message format and PR title conventions
 - **Cross-repo links**: Checks for proper formatting of links in changelog entries
 
-For detailed rule implementations, see [dangerfile.js](dangerfile.js).
+For detailed rule implementations, see [dangerfile.js](dangerfile.js).
+
+## Extra Danger File
+
+When using an extra dangerfile, the file must be inside the repository and written in CommonJS syntax. You can use the following snippet to export your dangerfile:
+
+```JavaScript
+module.exports = async function ({ fail, warn, message, markdown, danger }) {
+  ...
+  const gitUrl = danger.github.pr.head.repo.git_url;
+  ...
+  warn('...');
+}
+
+```

danger/action.yml

@@ -65,7 +65,6 @@ runs:
           -e DANGER_DISABLE_TRANSPILATION="true" \
           -e EXTRA_DANGERFILE_INPUT="${{ inputs.extra-dangerfile }}" \
           ghcr.io/danger/danger-js:${{ steps.config.outputs.version }} \
-          ghcr.io/danger/danger-js:${{ steps.config.outputs.version }} \
           -c "sleep infinity"
 
     - name: Setup additional packages

danger/dangerfile.js

@@ -1,5 +1,4 @@
 const { getFlavorConfig, extractPRFlavor } = require('./dangerfile-utils.js');
-const fs = require('fs');
 
 const headRepoName = danger.github.pr.head.repo.git_url;
 const baseRepoName = danger.github.pr.base.repo.git_url;
@@ -190,11 +189,22 @@ async function checkActionsArePinned() {
 async function CheckFromExternalChecks() {
   // Get the external dangerfile path from environment variable (passed via workflow input)
   // Priority: EXTRA_DANGERFILE (absolute path) -> EXTRA_DANGERFILE_INPUT (relative path)
-  const customPath = process.env.EXTRA_DANGERFILE || process.env.EXTRA_DANGERFILE_INPUT;
-  console.log(`::debug:: Checking from external checks: ${customPath}`);
-  if (customPath) {
+  const extraDangerFilePath = process.env.EXTRA_DANGERFILE || process.env.EXTRA_DANGERFILE_INPUT;
+  console.log(`::debug:: Checking from external checks: ${extraDangerFilePath}`);
+  if (extraDangerFilePath) {
     try {
+      const workspaceDir = '/github/workspace';
+      const customPath = path.join('/github/workspace', extraDangerFilePath);
+      if (!customPath.startsWith(workspaceDir)) {
+        fail(`Invalid dangerfile path: ${customPath}. Path traversal is not allowed.`);
+        return;
+      }      
+      
       const extraModule = require(`/github/workspace/${customPath}`);
+      if (typeof extraModule !== 'function') { 
+        warn(`EXTRA_DANGERFILE must export a function at ${customPath}`); 
+        return; 
+      }
       await extraModule({
         fail: fail, 
         warn: warn,