feat: mitigating script injection attacks by passing issue body as env var (#42)

BREAKING CHANGE: Add `issue-body` argument which is required from v3 onwards

To mitigate script injection attacks, github-issue-parser v3 will require workflow authors to pass the issue body as an argument. By doing so you will follow GitHub's [Good practices for mitigating script injection attacks
](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks)

```yml
- uses: stefanbuck/github-issue-parser@v3
  id: issue-parser
  with:
    issue-body: ${{ github.event.issue.body }} # required
    template-path: .github/ISSUE_TEMPLATE/bug-report.yml # optional but recommended
```

Author: stefanbuck

.github/workflows/release.yml

@@ -20,7 +20,7 @@ jobs:
           git config user.email [email protected]
           git add .gitignore dist/
           git commit -m "build"
-          git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git HEAD:refs/heads/v2
+          git push --force https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git HEAD:refs/heads/v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - run: npx semantic-release

README.md

@@ -7,104 +7,86 @@ Use this action to convert issues into a unified JSON structure. Read the [Codel
 ## Setup
 
 ```yml
-- uses: stefanbuck/github-issue-parser@v2
+- uses: stefanbuck/github-issue-parser@v3
   id: issue-parser
   with:
-    template-path: .github/ISSUE_TEMPLATE/bug-report.yml
+    issue-body: ${{ github.event.issue.body }} # required
+    template-path: .github/ISSUE_TEMPLATE/bug-report.yml # optional but recommended
 
-- run: echo '${{ steps.issue-parser.outputs.jsonString }}' > bug-details.json
+- run: cat ${HOME}/issue-parser-result.json
 
-- run: echo '${{ steps.issue-parser.outputs.issueparser_your_contact_details }}'
+- run: echo $FAVORITE_DISH
+  env:
+    FAVORITE_DISH: ${{ steps.issue-parser.outputs.issueparser_favorite_dish }}
 ```
 
-`template-path` is optional and meant to be used with Issue Forms.
-
 ## Example
 
 Given an issue form
 
 ```yml
-name: Bug
-description: Something is broken
-
-title: "Order Pizza"
-
 body:
   - type: input
-    id: contact
-    attributes:
-      label: Your contact details
-    validations:
-      required: true
-
-  - type: input
-    id: what_happened
-    attributes:
-      label: What happened?
-    validations:
-      required: true
-
-  - type: input
-    id: version
-    attributes:
-      label: Version
-    validations:
-      required: true
-
-  - type: input
-    id: browsers
+    id: favorite_dish
     attributes:
-      label: What browsers are you seeing the problem on?
+      label: What's your favorite dish?
     validations:
       required: true
 
   - type: checkboxes
-    id: what_else
+    id: favorite_color
     attributes:
-      label: What else?
+      label:  What's your preferred color?
       options:
-        - label: Never give up
-        - label: Hot Dog is a Sandwich
+        - label: Red
+        - label: Green
+        - label: Blue
 ```
 
 And an issue body
 
 ```md
-### Your contact details
+### What's your favorite dish?
 
-[email protected]
+Pizza
 
-### What happened?
+### What's your preferred color?
 
-A bug happened!
+- [x] Red
+- [ ] Green
+- [x] Blue
+```
 
-### Version
+The actions output will be
 
-1.0.0
+```json
+{
+  "favorite_dish": "Pizza",
+  "favorite_color": ["Red", "Blue"]
+}
+```
+
+## Action outputs
 
-### What browsers are you seeing the problem on?
+- `jsonString` - The entire output
+- `issueparser_<field_id>` - Access individual values
 
-Chrome, Safari
 
-### What else?
+Please take a look at GitHub's [Good practices for mitigating script injection attacks](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks) when using inline scripts. The examples blow are safe because they use intermediate environment variable as suggested by GitHub.
 
-- [x] Never give up
-- [ ] Hot Dog is a Sandwich
+```yaml
+- run: echo $JSON_STRING > output.json
+  env:
+    JSON_STRING: ${{ steps.issue-parser.outputs.jsonString }}
 ```
 
-The actions output will be
 
-```json
-{
-  "contact": "[email protected]",
-  "what_happened": "A bug happened!",
-  "version": "1.0.0",
-  "browsers": "Chrome, Safari",
-  "what_else": ["Never give up"]
-}
+```yaml
+- run: echo $FAV_DISH
+  env:
+    FAV_DISH: ${{ steps.issue-parser.outputs.issueparser_favorite_dish }}
 ```
 
-
 Want to learn more about this concept? Check out the [Codeless Contributions with GitHub Issue Forms](https://stefanbuck.com/blog/codeless-contributions-with-github-issue-forms) post on my blog.
 
 

action.yml

@@ -6,9 +6,12 @@ branding:
 inputs:
   template-path:
     description: 'Path to the issue form template file'
+  issue-body:
+    required: true
+    description: 'Issue body to parse'
 outputs:
   jsonString:
     description: 'JSON string'
 runs:
-  using: 'node12'
+  using: 'node16'
   main: 'dist/index.js'

fixtures/blank/issue.js

@@ -0,0 +1,9 @@
+{
+  "contact": "[email protected]",
+  "what_happened": "A bug happened!",
+  "version": "1.0.0",
+  "browsers": "Chrome, Safari",
+  "anything_else": ["Never give up"],
+  "second_anything_else": ["Hot Dog is a Sandwich", "Another item"],
+  "checkbox_without_an_id": []
+}

fixtures/full-example/expected.json

@@ -0,0 +1,52 @@
+body:
+  - type: input
+    id: contact
+    attributes:
+      label: Your contact details
+    validations:
+      required: true
+
+  - type: input
+    id: what_happened
+    attributes:
+      label: What happened?
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+    validations:
+      required: true
+
+  - type: input
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: anything_else
+    attributes:
+      label: What else?
+      options:
+        - label: Never give up
+        - label: Hot Dog is a Sandwich
+
+  - type: checkboxes
+    id: second_anything_else
+    attributes:
+      label: And with that?
+      options:
+        - label: Never give up
+        - label: Hot Dog is a Sandwich
+        - label: Another item
+
+  - type: checkboxes
+    attributes:
+      label: Checkbox without an id?
+      options:
+        - label: IDs are great
+        - label: IDs are bad

fixtures/full-example/form.yml

@@ -0,0 +1,31 @@
+### Your contact details
+
+[email protected]
+
+### What happened?
+
+A bug happened!
+
+### Version
+
+1.0.0
+
+### What browsers are you seeing the problem on?
+
+Chrome, Safari
+
+### What else?
+
+- [x] Never give up
+- [ ] Hot Dog is a Sandwich
+
+### And with that?
+
+- [] Never give up
+- [X] Hot Dog is a Sandwich
+- [x] Another item
+
+### Checkbox without an id?
+
+- [ ] IDs are great
+- [ ] IDs are bad

fixtures/full-example/issue-body.md

@@ -0,0 +1,6 @@
+const { resolve } = require("path");
+const { readFileSync } = require("fs");
+
+const issueBodyPath = resolve(__dirname, "issue-body.md");
+
+module.exports = readFileSync(issueBodyPath, "utf-8");

fixtures/full-example/issue.js

@@ -3,8 +3,4 @@ const { readFileSync } = require("fs");
 
 const issueBodyPath = resolve(__dirname, "issue-body.md");
 
-module.exports = {
-  issue: {
-    body: readFileSync(issueBodyPath, "utf-8"),
-  },
-};
+module.exports = readFileSync(issueBodyPath, "utf-8")

fixtures/multiple-paragraphs/issue.js

@@ -1,9 +1,4 @@
 {
-  "contact": "[email protected]",
-  "what_happened": "A bug happened!",
-  "version": "1.0.0",
-  "browsers": "Chrome, Safari",
-  "anything_else": ["Never give up"],
-  "second_anything_else": ["Hot Dog is a Sandwich", "Another item"],
-  "checkbox_without_an_id": []
+  "favorite_dish": "Pizza",
+  "favorite_color": ["Red", "Blue"]
 }