fix(ci): Sanitize workflow inputs with an env var

Use an intermediate env var, sanitized by GitHub, to prevent
exploitation from untrusted user-provided input.

Reported-By: Alessandro Braccio <[email protected]>
Signed-off-by: Loïc Minier <[email protected]>

Author: lool

.github/workflows/build-overlay-deb.yml

@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+env:
+  - CONFIG: ${{ inputs.config }}
+
 jobs:
   build:
     strategy:
@@ -51,7 +54,7 @@ jobs:
           DEBIAN_FRONTEND=noninteractive \
               apt -y install --no-install-recommends python3 python3-yaml
           # read suite from yaml
-          suite="$(python3 -c "import yaml; print(yaml.safe_load(open('${{ inputs.config }}'))['suite'])")"
+          suite="$(python3 -c "import os, yaml; print(yaml.safe_load(open(os.environ['CONFIG']))['suite'])")"
           # defaults args
           extra_repo=""
           debootstrap_suite="${suite}"
@@ -87,7 +90,7 @@ jobs:
           mkdir -v upload
           chmod a+rw upload
           sudo -u builder python3 scripts/build-deb.py \
-              --config "${{ inputs.config }}" --output-dir upload
+              --config "$CONFIG" --output-dir upload
 
       - name: Upload as private artifacts
         uses: qualcomm-linux/upload-private-artifact-action@v1