containers/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-02-05 06:45:31 +01:00
Code Issues Releases Wiki Activity

ci: use --sandbox for dynamically generated sed scripts

Browse Source 
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).

Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This commit is contained in:
Daniel Hast
2025-12-01 08:05:02 -05:00
parent b9736e8d11
commit 3f4af378f4
4 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/dev-bump.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
echo "::notice:: bumping z up to $devbump"
fi
sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push
@@ -121,7 +121,7 @@ jobs:
devbump="$(IFS=. ; echo "${arr[*]}")-dev"
echo "::notice:: Bumping main to: $devbump"
sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push

6
.github/workflows/first_contrib_cert_generator.yml vendored
View File

@@ -71,9 +71,9 @@ jobs:
PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
MERGE_DATE=$(date -u +"%B %d, %Y")
sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
# Step 4: Setup Node.js environment
- name: Setup Node.js

4
.github/workflows/machine-os-pr.yml vendored
View File

@@ -82,8 +82,8 @@ jobs:
VERS: ${{steps.getversion.outputs.version}}
run: |
update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS")
sed -i "$update" podman-rpm-info-vars.sh
sed -i 's/export PODMAN_PR_NUM=".*"/export PODMAN_PR_NUM="${{github.event.number}}"/g' podman-rpm-info-vars.sh
sed --sandbox -i -e "$update" podman-rpm-info-vars.sh
sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh
echo "Updated file:"
cat podman-rpm-info-vars.sh

2
.github/workflows/update-podmanio.yml vendored
View File

@@ -106,7 +106,7 @@ jobs:
steps.checkpr.outputs.prexists == 'false'
run: |
# Replace the version in static/data/global.ts file
sed -i "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts
sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts
echo "Updated file:"
cat static/data/global.ts