sentinel-ci 1.3.3 → 1.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/rules/github_script_injection.rb +14 -0
- data/lib/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 311e9ef6bf0248ed59eadc0c51fbf411fe5892b54e73510a887f197725fafdcb
|
|
4
|
+
data.tar.gz: 83d76cd0dc7df0e14a014498ab63ed272cb936af491aea5672896d190edcd8e0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cdf56e7c5d5fbe73496e02cd8f4241e2860846e0eacbfe0aa02b33de5391c3b3143a4ee0564a7b90d66a888a163ecab58abe9e5bf6a64cd5c142f798d4a508f9
|
|
7
|
+
data.tar.gz: fcb01f71edb835c1d7be8b7b552b8cf83e83b20512ec0c2974b45fe8fd0100bc48f86815bccfcee635694dca766f943d1dd6b7f6daf3677c83604b7d378f45f5
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.3.4 (2026-05-26)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
- github-script-injection: stop flagging `${{ inputs.* }}` / `${{ github.event.* }}` expressions that appear in a sibling `env:` block paired with the corresponding `process.env.VAR` reference in the `script:` body. This is the GHA-recommended safe pattern and was being flagged as a false positive after the v1.3.3 lookback-cap removal. Inline `script: "const x = '${{ ... }}';"` forms continue to fire correctly.
|
|
7
|
+
|
|
3
8
|
## 1.3.3 (2026-05-26)
|
|
4
9
|
|
|
5
10
|
### Bug Fixes
|
|
@@ -64,12 +64,26 @@ module Rules
|
|
|
64
64
|
STEP_KEYS = /(?:id|if|name|uses|run|working-directory|shell|with|env|continue-on-error|timeout-minutes|permissions|secrets)/
|
|
65
65
|
|
|
66
66
|
def in_github_script_block?(workflow, target_line)
|
|
67
|
+
target_content = workflow.raw_lines[target_line - 1]
|
|
68
|
+
return false unless target_content
|
|
69
|
+
target_indent = target_content[/^\s*/].length
|
|
70
|
+
|
|
67
71
|
# Scan backward with no cap — use step keys as hard boundaries.
|
|
68
72
|
(target_line - 1).downto(0) do |i|
|
|
69
73
|
content = workflow.raw_lines[i]
|
|
70
74
|
next unless content
|
|
71
75
|
|
|
72
76
|
if content.match?(/^\s+script:\s*[\|>]?\s*$/) || content.match?(/^\s+script:\s+\S/)
|
|
77
|
+
script_indent = content[/^\s*/].length
|
|
78
|
+
|
|
79
|
+
# The target line must be indented deeper than the script: key
|
|
80
|
+
# to be part of the script block body, UNLESS the target IS
|
|
81
|
+
# the script: line itself (inline script form like
|
|
82
|
+
# `script: "const t = '${{ ... }}'"`). If it's a different
|
|
83
|
+
# line at the same or shallower indent, it's a sibling
|
|
84
|
+
# step-key (e.g. env:), not script content.
|
|
85
|
+
return false unless target_indent > script_indent || i == (target_line - 1)
|
|
86
|
+
|
|
73
87
|
# Found a script: key. Now scan upward from here with no cap,
|
|
74
88
|
# looking for uses: actions/github-script. Stop at any step key
|
|
75
89
|
# that is NOT with:, env:, or uses: (those can appear between
|
data/lib/version.rb
CHANGED