From 8ed64b8004ffa454af6e67becc688d7872c904c2 Mon Sep 17 00:00:00 2001 From: Minsu Lee Date: Mon, 27 Jun 2022 10:59:47 +0900 Subject: [PATCH 1/5] fix: Commit messages aren't fully shell escaped `foo`, 'bar', "baz" close #164 close #162 Signed-off-by: Minsu Lee --- dist/index.js | 9 +++++++-- index.js | 7 ++++++- package.json | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/dist/index.js b/dist/index.js index e27ffc3a..bf656cb4 100644 --- a/dist/index.js +++ b/dist/index.js @@ -28169,7 +28169,7 @@ module.exports = require("zlib"); /***/ ((module) => { "use strict"; -module.exports = JSON.parse('{"_args":[["@octokit/rest@16.43.1","/Users/lms/IdeaProjects/vercel-action"]],"_from":"@octokit/rest@16.43.1","_id":"@octokit/rest@16.43.1","_inBundle":false,"_integrity":"sha512-gfFKwRT/wFxq5qlNjnW2dh+qh74XgTQ2B179UX5K1HYCluioWj8Ndbgqw2PVqa1NnVJkGHp2ovMpVn/DImlmkw==","_location":"/@octokit/rest","_phantomChildren":{},"_requested":{"type":"version","registry":true,"raw":"@octokit/rest@16.43.1","name":"@octokit/rest","escapedName":"@octokit%2frest","scope":"@octokit","rawSpec":"16.43.1","saveSpec":null,"fetchSpec":"16.43.1"},"_requiredBy":["/@actions/github"],"_resolved":"https://registry.npmjs.org/@octokit/rest/-/rest-16.43.1.tgz","_spec":"16.43.1","_where":"/Users/lms/IdeaProjects/vercel-action","author":{"name":"Gregor Martynus","url":"https://github.com/gr2m"},"bugs":{"url":"https://github.com/octokit/rest.js/issues"},"bundlesize":[{"path":"./dist/octokit-rest.min.js.gz","maxSize":"33 kB"}],"contributors":[{"name":"Mike de Boer","email":"info@mikedeboer.nl"},{"name":"Fabian Jakobs","email":"fabian@c9.io"},{"name":"Joe Gallo","email":"joe@brassafrax.com"},{"name":"Gregor Martynus","url":"https://github.com/gr2m"}],"dependencies":{"@octokit/auth-token":"^2.4.0","@octokit/plugin-paginate-rest":"^1.1.1","@octokit/plugin-request-log":"^1.0.0","@octokit/plugin-rest-endpoint-methods":"2.4.0","@octokit/request":"^5.2.0","@octokit/request-error":"^1.0.2","atob-lite":"^2.0.0","before-after-hook":"^2.0.0","btoa-lite":"^1.0.0","deprecation":"^2.0.0","lodash.get":"^4.4.2","lodash.set":"^4.3.2","lodash.uniq":"^4.5.0","octokit-pagination-methods":"^1.1.0","once":"^1.4.0","universal-user-agent":"^4.0.0"},"description":"GitHub REST API client for Node.js","devDependencies":{"@gimenete/type-writer":"^0.1.3","@octokit/auth":"^1.1.1","@octokit/fixtures-server":"^5.0.6","@octokit/graphql":"^4.2.0","@types/node":"^13.1.0","bundlesize":"^0.18.0","chai":"^4.1.2","compression-webpack-plugin":"^3.1.0","cypress":"^3.0.0","glob":"^7.1.2","http-proxy-agent":"^4.0.0","lodash.camelcase":"^4.3.0","lodash.merge":"^4.6.1","lodash.upperfirst":"^4.3.1","lolex":"^5.1.2","mkdirp":"^1.0.0","mocha":"^7.0.1","mustache":"^4.0.0","nock":"^11.3.3","npm-run-all":"^4.1.2","nyc":"^15.0.0","prettier":"^1.14.2","proxy":"^1.0.0","semantic-release":"^17.0.0","sinon":"^8.0.0","sinon-chai":"^3.0.0","sort-keys":"^4.0.0","string-to-arraybuffer":"^1.0.0","string-to-jsdoc-comment":"^1.0.0","typescript":"^3.3.1","webpack":"^4.0.0","webpack-bundle-analyzer":"^3.0.0","webpack-cli":"^3.0.0"},"files":["index.js","index.d.ts","lib","plugins"],"homepage":"https://github.com/octokit/rest.js#readme","keywords":["octokit","github","rest","api-client"],"license":"MIT","name":"@octokit/rest","nyc":{"ignore":["test"]},"publishConfig":{"access":"public"},"release":{"publish":["@semantic-release/npm",{"path":"@semantic-release/github","assets":["dist/*","!dist/*.map.gz"]}]},"repository":{"type":"git","url":"git+https://github.com/octokit/rest.js.git"},"scripts":{"build":"npm-run-all build:*","build:browser":"npm-run-all build:browser:*","build:browser:development":"webpack --mode development --entry . --output-library=Octokit --output=./dist/octokit-rest.js --profile --json > dist/bundle-stats.json","build:browser:production":"webpack --mode production --entry . --plugin=compression-webpack-plugin --output-library=Octokit --output-path=./dist --output-filename=octokit-rest.min.js --devtool source-map","build:ts":"npm run -s update-endpoints:typescript","coverage":"nyc report --reporter=html && open coverage/index.html","generate-bundle-report":"webpack-bundle-analyzer dist/bundle-stats.json --mode=static --no-open --report dist/bundle-report.html","lint":"prettier --check \'{lib,plugins,scripts,test}/**/*.{js,json,ts}\' \'docs/*.{js,json}\' \'docs/src/**/*\' index.js README.md package.json","lint:fix":"prettier --write \'{lib,plugins,scripts,test}/**/*.{js,json,ts}\' \'docs/*.{js,json}\' \'docs/src/**/*\' index.js README.md package.json","postvalidate:ts":"tsc --noEmit --target es6 test/typescript-validate.ts","prebuild:browser":"mkdirp dist/","pretest":"npm run -s lint","prevalidate:ts":"npm run -s build:ts","start-fixtures-server":"octokit-fixtures-server","test":"nyc mocha test/mocha-node-setup.js \\"test/*/**/*-test.js\\"","test:browser":"cypress run --browser chrome","update-endpoints":"npm-run-all update-endpoints:*","update-endpoints:fetch-json":"node scripts/update-endpoints/fetch-json","update-endpoints:typescript":"node scripts/update-endpoints/typescript","validate:ts":"tsc --target es6 --noImplicitAny index.d.ts"},"types":"index.d.ts","version":"16.43.1"}'); +module.exports = JSON.parse('{"name":"@octokit/rest","version":"16.43.1","publishConfig":{"access":"public"},"description":"GitHub REST API client for Node.js","keywords":["octokit","github","rest","api-client"],"author":"Gregor Martynus (https://github.com/gr2m)","contributors":[{"name":"Mike de Boer","email":"info@mikedeboer.nl"},{"name":"Fabian Jakobs","email":"fabian@c9.io"},{"name":"Joe Gallo","email":"joe@brassafrax.com"},{"name":"Gregor Martynus","url":"https://github.com/gr2m"}],"repository":"https://github.com/octokit/rest.js","dependencies":{"@octokit/auth-token":"^2.4.0","@octokit/plugin-paginate-rest":"^1.1.1","@octokit/plugin-request-log":"^1.0.0","@octokit/plugin-rest-endpoint-methods":"2.4.0","@octokit/request":"^5.2.0","@octokit/request-error":"^1.0.2","atob-lite":"^2.0.0","before-after-hook":"^2.0.0","btoa-lite":"^1.0.0","deprecation":"^2.0.0","lodash.get":"^4.4.2","lodash.set":"^4.3.2","lodash.uniq":"^4.5.0","octokit-pagination-methods":"^1.1.0","once":"^1.4.0","universal-user-agent":"^4.0.0"},"devDependencies":{"@gimenete/type-writer":"^0.1.3","@octokit/auth":"^1.1.1","@octokit/fixtures-server":"^5.0.6","@octokit/graphql":"^4.2.0","@types/node":"^13.1.0","bundlesize":"^0.18.0","chai":"^4.1.2","compression-webpack-plugin":"^3.1.0","cypress":"^3.0.0","glob":"^7.1.2","http-proxy-agent":"^4.0.0","lodash.camelcase":"^4.3.0","lodash.merge":"^4.6.1","lodash.upperfirst":"^4.3.1","lolex":"^5.1.2","mkdirp":"^1.0.0","mocha":"^7.0.1","mustache":"^4.0.0","nock":"^11.3.3","npm-run-all":"^4.1.2","nyc":"^15.0.0","prettier":"^1.14.2","proxy":"^1.0.0","semantic-release":"^17.0.0","sinon":"^8.0.0","sinon-chai":"^3.0.0","sort-keys":"^4.0.0","string-to-arraybuffer":"^1.0.0","string-to-jsdoc-comment":"^1.0.0","typescript":"^3.3.1","webpack":"^4.0.0","webpack-bundle-analyzer":"^3.0.0","webpack-cli":"^3.0.0"},"types":"index.d.ts","scripts":{"coverage":"nyc report --reporter=html && open coverage/index.html","lint":"prettier --check \'{lib,plugins,scripts,test}/**/*.{js,json,ts}\' \'docs/*.{js,json}\' \'docs/src/**/*\' index.js README.md package.json","lint:fix":"prettier --write \'{lib,plugins,scripts,test}/**/*.{js,json,ts}\' \'docs/*.{js,json}\' \'docs/src/**/*\' index.js README.md package.json","pretest":"npm run -s lint","test":"nyc mocha test/mocha-node-setup.js \\"test/*/**/*-test.js\\"","test:browser":"cypress run --browser chrome","build":"npm-run-all build:*","build:ts":"npm run -s update-endpoints:typescript","prebuild:browser":"mkdirp dist/","build:browser":"npm-run-all build:browser:*","build:browser:development":"webpack --mode development --entry . --output-library=Octokit --output=./dist/octokit-rest.js --profile --json > dist/bundle-stats.json","build:browser:production":"webpack --mode production --entry . --plugin=compression-webpack-plugin --output-library=Octokit --output-path=./dist --output-filename=octokit-rest.min.js --devtool source-map","generate-bundle-report":"webpack-bundle-analyzer dist/bundle-stats.json --mode=static --no-open --report dist/bundle-report.html","update-endpoints":"npm-run-all update-endpoints:*","update-endpoints:fetch-json":"node scripts/update-endpoints/fetch-json","update-endpoints:typescript":"node scripts/update-endpoints/typescript","prevalidate:ts":"npm run -s build:ts","validate:ts":"tsc --target es6 --noImplicitAny index.d.ts","postvalidate:ts":"tsc --noEmit --target es6 test/typescript-validate.ts","start-fixtures-server":"octokit-fixtures-server"},"license":"MIT","files":["index.js","index.d.ts","lib","plugins"],"nyc":{"ignore":["test"]},"release":{"publish":["@semantic-release/npm",{"path":"@semantic-release/github","assets":["dist/*","!dist/*.map.gz"]}]},"bundlesize":[{"path":"./dist/octokit-rest.min.js.gz","maxSize":"33 kB"}]}'); /***/ }) @@ -28348,7 +28348,12 @@ async function vercelDeploy(ref, commit) { ...addVercelMetadata('githubRepo', context.repo.repo, providedArgs), ...addVercelMetadata('githubCommitOrg', context.repo.owner, providedArgs), ...addVercelMetadata('githubCommitRepo', context.repo.repo, providedArgs), - ...addVercelMetadata('githubCommitMessage', `"${commit}"`, providedArgs), + ...addVercelMetadata( + 'githubCommitMessage', + // eslint-disable-next-line prefer-template + '"' + commit + '"', + providedArgs, + ), ...addVercelMetadata( 'githubCommitRef', ref.replace('refs/heads/', ''), diff --git a/index.js b/index.js index 5af9cc0b..c455c362 100644 --- a/index.js +++ b/index.js @@ -132,7 +132,12 @@ async function vercelDeploy(ref, commit) { ...addVercelMetadata('githubRepo', context.repo.repo, providedArgs), ...addVercelMetadata('githubCommitOrg', context.repo.owner, providedArgs), ...addVercelMetadata('githubCommitRepo', context.repo.repo, providedArgs), - ...addVercelMetadata('githubCommitMessage', `"${commit}"`, providedArgs), + ...addVercelMetadata( + 'githubCommitMessage', + // eslint-disable-next-line prefer-template + '"' + commit + '"', + providedArgs, + ), ...addVercelMetadata( 'githubCommitRef', ref.replace('refs/heads/', ''), diff --git a/package.json b/package.json index 54a9f77e..9a177be4 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "email": "amond@amond.net", "url": "https://amond.dev" }, - "version": "25.0.0", + "version": "25.0.1", "main": "index.js", "scripts": { "lint": "eslint index.js", From 190984df95cc80367c6b0039c4e88d49e331220c Mon Sep 17 00:00:00 2001 From: Minsu Lee Date: Mon, 27 Jun 2022 11:16:01 +0900 Subject: [PATCH 2/5] fix: Commit messages aren't fully shell escaped `app` , "test", 'foo' Signed-off-by: Minsu Lee --- dist/index.js | 5 +++-- index.js | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/dist/index.js b/dist/index.js index bf656cb4..72bcd9be 100644 --- a/dist/index.js +++ b/dist/index.js @@ -28333,6 +28333,8 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); + const commitMessage = commit.replace("'", "'\\''"); + const args = [ ...vercelArgs.split(/ +/), ...['-t', vercelToken], @@ -28350,8 +28352,7 @@ async function vercelDeploy(ref, commit) { ...addVercelMetadata('githubCommitRepo', context.repo.repo, providedArgs), ...addVercelMetadata( 'githubCommitMessage', - // eslint-disable-next-line prefer-template - '"' + commit + '"', + `'${commitMessage}'`, providedArgs, ), ...addVercelMetadata( diff --git a/index.js b/index.js index c455c362..90c67fa4 100644 --- a/index.js +++ b/index.js @@ -117,6 +117,8 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); + const commitMessage = commit.replace("'", "'\\''"); + const args = [ ...vercelArgs.split(/ +/), ...['-t', vercelToken], @@ -134,8 +136,7 @@ async function vercelDeploy(ref, commit) { ...addVercelMetadata('githubCommitRepo', context.repo.repo, providedArgs), ...addVercelMetadata( 'githubCommitMessage', - // eslint-disable-next-line prefer-template - '"' + commit + '"', + `'${commitMessage}'`, providedArgs, ), ...addVercelMetadata( From b8181612c0011cb345c4ce0448d207be577320e0 Mon Sep 17 00:00:00 2001 From: Minsu Lee Date: Mon, 27 Jun 2022 11:20:43 +0900 Subject: [PATCH 3/5] fix: Commit messages aren't fully shell escaped `app` , "test", 'foo' close #164 close #162 Signed-off-by: Minsu Lee --- dist/index.js | 2 +- index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index 72bcd9be..b1b9e2e4 100644 --- a/dist/index.js +++ b/dist/index.js @@ -28333,7 +28333,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "'\\''"); + const commitMessage = commit.replace("'", "'\\''").replace("`", "'\\'`"); const args = [ ...vercelArgs.split(/ +/), diff --git a/index.js b/index.js index 90c67fa4..ea2b78e6 100644 --- a/index.js +++ b/index.js @@ -117,7 +117,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "'\\''"); + const commitMessage = commit.replace("'", "'\\''").replace("`", "'\\'`"); const args = [ ...vercelArgs.split(/ +/), From 4e76438bd6e868adce7b4c85b99512d8c62e69c3 Mon Sep 17 00:00:00 2001 From: Minsu Lee Date: Mon, 27 Jun 2022 11:26:52 +0900 Subject: [PATCH 4/5] fix: Commit messages aren't fully shell escaped `app` , "test", 'foo' Signed-off-by: Minsu Lee --- dist/index.js | 2 +- index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index b1b9e2e4..05ed22cb 100644 --- a/dist/index.js +++ b/dist/index.js @@ -28333,7 +28333,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "'\\''").replace("`", "'\\'`"); + const commitMessage = commit.replace("'", "\\'").replace('`', '\\`'); const args = [ ...vercelArgs.split(/ +/), diff --git a/index.js b/index.js index ea2b78e6..1aef94fb 100644 --- a/index.js +++ b/index.js @@ -117,7 +117,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "'\\''").replace("`", "'\\'`"); + const commitMessage = commit.replace("'", "\\'").replace('`', '\\`'); const args = [ ...vercelArgs.split(/ +/), From d25df76cbfc3a3461d7f980a0ccc61210c0e5213 Mon Sep 17 00:00:00 2001 From: Minsu Lee Date: Mon, 27 Jun 2022 11:33:07 +0900 Subject: [PATCH 5/5] fix: Commit messages aren't fully shell escaped `app` , "test", 'foo' Signed-off-by: Minsu Lee --- dist/index.js | 2 +- index.js | 2 +- test.js | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 test.js diff --git a/dist/index.js b/dist/index.js index 05ed22cb..4e95f3ae 100644 --- a/dist/index.js +++ b/dist/index.js @@ -28333,7 +28333,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "\\'").replace('`', '\\`'); + const commitMessage = commit.replace("'", "\\'").replace('`', '`````'); const args = [ ...vercelArgs.split(/ +/), diff --git a/index.js b/index.js index 1aef94fb..ecf9c09e 100644 --- a/index.js +++ b/index.js @@ -117,7 +117,7 @@ async function vercelDeploy(ref, commit) { const providedArgs = vercelArgs.split(/ +/); - const commitMessage = commit.replace("'", "\\'").replace('`', '\\`'); + const commitMessage = commit.replace("'", "\\'").replace('`', '`````'); const args = [ ...vercelArgs.split(/ +/), diff --git a/test.js b/test.js new file mode 100644 index 00000000..d654d478 --- /dev/null +++ b/test.js @@ -0,0 +1,3 @@ +const message = '`foo`, "bar", \'test\''; + +console.log(`'${message}'`); \ No newline at end of file