From 5c5bbcbaf033a38eccf646cb868380999d069c6b Mon Sep 17 00:00:00 2001
From: volodymyrZotov <volodymyr.zotov@gmail.com>
Date: Mon, 15 Aug 2022 13:32:42 +0300
Subject: [PATCH] prevent command injection vulnerability

---
 dist/index.js | 9 +++------
 src/index.ts  | 9 +++------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index e3d7f39..cbda727 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -1935,13 +1935,10 @@ function run() {
         try {
             const parentDir = path__WEBPACK_IMPORTED_MODULE_2___default().resolve(__dirname, '..');
             // Get action inputs
-            const unsetPrevious = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('unset-previous');
-            const exportEnv = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('export-env');
+            process.env.INPUT_UNSET_PREVIOUS = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('unset-previous');
+            process.env.INPUT_EXPORT_ENV = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('export-env');
             // Execute bash script
-            yield _actions_exec__WEBPACK_IMPORTED_MODULE_1__.exec(`sh -c "` +
-                `INPUT_UNSET_PREVIOUS=` + unsetPrevious + ` ` +
-                `INPUT_EXPORT_ENV=` + exportEnv + ` ` +
-                parentDir + `/entrypoint.sh"`);
+            yield _actions_exec__WEBPACK_IMPORTED_MODULE_1__.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
         }
         catch (error) {
             _actions_core__WEBPACK_IMPORTED_MODULE_0__.setFailed(error.message);
diff --git a/src/index.ts b/src/index.ts
index 855332d..0a60ed8 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -7,14 +7,11 @@ async function run(): Promise<void> {
     const parentDir = path.resolve(__dirname, '..');
     
     // Get action inputs
-    const unsetPrevious = core.getInput('unset-previous');
-    const exportEnv = core.getInput('export-env');
+    process.env.INPUT_UNSET_PREVIOUS = core.getInput('unset-previous');
+    process.env.INPUT_EXPORT_ENV = core.getInput('export-env');
 
     // Execute bash script
-    await exec.exec(`sh -c "` +
-      `INPUT_UNSET_PREVIOUS=` + unsetPrevious + ` ` +
-      `INPUT_EXPORT_ENV=` + exportEnv + ` ` + 
-      parentDir + `/entrypoint.sh"`);
+    await exec.exec(`sh -c "` + parentDir + `/entrypoint.sh"`);
 
   } catch (error: any) {
     core.setFailed(error.message);