wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-03-30 13:33:42 +08:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

fix: quote env var references in run blocks

Browse Source 
Did some research into the CodeQL envvar-injection-critical guidance
(https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/)
and wanted to add this additional change to prevent shell injection
through attacker-controllable values like ref names and workflow inputs,
and to prevent unexpected behavior from special characters in secret values.

Before: echo ${REF_NAME}
After:  echo "${REF_NAME}"
This commit is contained in:
dagecko 2026-03-28 13:34:29 -04:00
parent 4092c6d0a9
commit 8eccdc0a23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/update-version.yml vendored
View File

@ -52,11 +52,11 @@ jobs:
run: |
git config --local user.name "github-actions"
git config --local user.email "github-actions@github.com"
git fetch origin ${HEAD_REF}
git checkout -B ${HEAD_REF} origin/${HEAD_REF}
git fetch origin "${HEAD_REF}"
git checkout -B "${HEAD_REF}" "origin/${HEAD_REF}"
git add comfyui_version.py
git diff --quiet && git diff --staged --quiet || git commit -m "chore: Update comfyui_version.py to match pyproject.toml"
git push origin HEAD:${HEAD_REF}
git push origin "HEAD:${HEAD_REF}"
env:
HEAD_REF: ${{ github.head_ref }}