Harden security with inputs.

Removes a few inputs; gives up on trying to get a list of files in a single input.
Uses temporary directory to store SARIF file.

Author: chungyc

README.md

@@ -40,14 +40,8 @@ You only need to set them if the defaults do not work for your situation.
 `hlint-bin`
 :   Path to the hlint binary.
 
-`args`
-:   Extra arguments to pass to HLint.
-
 `path`
-:   Path or array of paths that HLint will be told to scan.
-
-`sarif_file`
-:   The name of the SARIF file to write and upload to GitHub code scanning.
+:   Path of file or directory that HLint will be told to scan.
 
 `category`
 :   String used by GitHub code scanning for matching the analyses.
@@ -65,10 +59,6 @@ Instead, its goal is to file [GitHub code scanning] alerts.
 To use HLint for status checks, e.g., during pushes or pull requests,
 see [haskell/actions/hlint-run] instead.
 
-This action has not hardened security with its inputs yet.
-Do *not* use this action in a situation where uncontrolled input can be passed to it.
-E.g., another action which would pass its input to this one.
-
 ## Code of conduct
 
 Be nice; see [`CODE_OF_CONDUCT.md`](docs/CODE_OF_CONDUCT.md) for details.

action.yaml

@@ -20,18 +20,10 @@ inputs:
     description: Path to the hlint binary.
     required: false
     default: hlint
-  args:
-    description: An array of extra arguments to pass to HLint.
-    required: false
-    default: null
   path:
-    description: Path or array of paths that HLint will be told to scan.
+    description: Path of file or directory that HLint will be told to scan.
     required: false
     default: .
-  sarif_file:
-    description: The name of the SARIF file to write and upload to GitHub code scanning.
-    required: false
-    default: hlint.sarif
   category:
     description: String used by GitHub code scanning for matching the analyses.
     required: false
@@ -48,17 +40,17 @@ runs:
   steps:
 
     - name: Run HLint
-      run: $BINARY --no-exit-code --sarif ${ARGS} ${PATHS} >> ${SARIF_FILE}
+      run: |
+        "$BINARY" --no-exit-code --sarif "$FILEPATH" >> $TMPDIR/hlint.sarif
       shell: bash
       env:
-        ARGS: ${{ join(inputs.args, ' ') }}
         BINARY: ${{ inputs.binary }}
-        PATHS: ${{ join(inputs.path, ' ') }}
-        SARIF_FILE: ${{ inputs.sarif_file }}
+        FILEPATH: ${{ inputs.path }}
+        TMPDIR: ${{ runner.temp }}
 
     - id: upload-sarif
       name: Upload SARIF file
       uses: github/codeql-action/upload-sarif@v2
       with:
-        sarif_file: ${{ inputs.sarif_file }}
+        sarif_file: ${{ runner.temp }}/hlint.sarif
         category: ${{ inputs.category }}