From c82233fb8f48be1654da9e20c988e1ded6b80276 Mon Sep 17 00:00:00 2001
From: Paul Mucur <paul.mucur@raspberrypi.com>
Date: Sat, 7 Dec 2024 13:04:12 +0000
Subject: [PATCH] Prevent script injection attack in GitHub Actions

Information in the github context should be treated as untrusted user
input and is therefore unsafe to interpolate into scripts. Instead,
mitigate their damage by using an intermediate environment variable
instead.

See https://github.com/advisories/GHSA-7x29-qqmq-v6qc and
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
---
 .github/workflows/build.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fa3c5c851..047317f22 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,12 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Log current branches and repositories
+        env:
+          REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
         run: |
           echo "Current ref: $GITHUB_REF"
           echo "Base ref: $GITHUB_BASE_REF"
           echo "Head ref: $GITHUB_HEAD_REF"
           echo "Repository: $GITHUB_REPOSITORY"
-          echo "Head repository: ${{ github.event.pull_request.head.repo.full_name }}"
+          echo "Head repository: $REPO_FULL_NAME"
       - name: Only allow pull requests based on master from the develop branch of the current repository
         if: ${{ github.base_ref == 'master' && !(github.head_ref == 'develop' && github.event.pull_request.head.repo.full_name == github.repository) }}
         run: |