Commit e807545

committed

Remove false positive docker/build-push-action context sink model

The `context` input is passed as a single array element through `docker/actions-toolkit` and `@actions/exec` all the way to `child_process.spawn()`, which does not perform shell splitting. No code injection is possible. Fixes #21428

1 parent 55d16e8 commit e807545Copy full SHA for e807545

1 file changed

+0

-6

lines changed

actions/ql/lib/ext/manual
- docker_build-push-action.model.yml

1 file changed

+0

-6

lines changed

`‎actions/ql/lib/ext/manual/docker_build-push-action.model.yml‎`

This file was deleted.

Comments

(0)