Support disable/enable commands #36
Comments
|
I haven't looked too closely at |
|
It disables all command processing when echoing unsanitized strings to
stdout.
…--
Daniel C. Sobral
On Mon, Nov 16, 2020 at 3:08 PM Daniel Spiewak ***@***.***> wrote:
I haven't looked too closely at stop-commands; what's the use-case for
this beyond demonstrating security vulnerabilities?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABCOF33QMUCED5NBYV4G2TSQGPFDANCNFSM4TXWLBKQ>
.
|
|
Is that common enough to merit having its own semantic action rather than just using |
|
It's not just stop-commands -- you have to add the token as well, with all
that decoding. I believe the secure way of doing things should be as easy
as possible, that's my main concern.
…--
Daniel C. Sobral
On Mon, Nov 16, 2020 at 3:20 PM Daniel Spiewak ***@***.***> wrote:
Is that common enough to merit having its own semantic action rather than
just using WorkflowStep.Run(List("echo ::stop-commands::"))?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABCOFZZDLKQP3RVETTDWMLSQGQRPANCNFSM4TXWLBKQ>
.
|
|
Ahhhh, I see. I would accept a PR for that. Probably something like |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The example from github blog is:
The disable/enable is constant, so they could be provided as actions. Better yet, though, would be a
withUntrustedorwithCommandsDisabledworkflow step that takes other workflow steps as input, and runs then with commands disabled as above.The text was updated successfully, but these errors were encountered: