Merge pull request #1 from fahrradflucht/bugfix/stop-commands-in-history-log

fahrradflucht · web-flow · commit 06ef50e1415e · 2026-03-04T15:13:29.000+01:00
Prevent workflow command injection via commit history log
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -166,7 +166,10 @@ declare -A history_type=(
     ["compare"]="$(git log "${tag_commit}".."${commit}" --format=%B)" \
 )
 log=${history_type[${branch_history}]}
+stop_commands_token=$(cat /proc/sys/kernel/random/uuid)
+echo "::stop-commands::${stop_commands_token}"
 printf "History:\n---\n%s\n---\n" "$log"
+echo "::${stop_commands_token}::"
 
 if [ -z "$tagPrefix" ]
 then
