chore: Sanitize titles for Slack notification (#364)

- Avoid injection attacks by adding basic user input sanitation
aws-actions · Jan 24, 2025 · db95410 · db95410
1 parent 7ba85bc
commit db95410
Showing 1 changed file with 41 additions and 3 deletions.
diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml
@@ -13,6 +13,44 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: actions/github-script@v7
+        id: sanitize-title
+        with:
+          script: |
+            const isPR = !!context.payload.pull_request;
+            const isIssue = !!context.payload.issue;
+            const item = isPR ? context.payload.pull_request : isIssue ? context.payload.issue : context.payload.issue_comment.issue;
+            
+            // Sanitization functions
+            const sanitizeTitle = (title) => {
+              return title
+                // Remove potential markdown formatting
+                .replace(/[*_~`]/g, '')
+                // Remove potential HTML tags
+                .replace(/<[^>]*>/g, '')
+                // Remove multiple spaces
+                .replace(/\s{2,}/g, ' ')
+                // Trim whitespace
+                .trim()
+                // Enforce max length of 100
+                .substring(0, 100);
+            };
+            
+            // Escape special characters for Slack
+            const escapeForSlack = (text) => {
+              return text
+                .replace(/"/g, '&quot;')
+                .replace(/&/g, '&amp;')
+                .replace(/</g, '&lt;')
+                .replace(/[@]/g, '\\@')
+                .replace(/>/g, '&gt;')
+                .replace(/&amp;lt;/g, '&lt;')
+                .replace(/&amp;gt;/g, '&gt;');
+            };
+
+            const sanitizedTitle = escapeForSlack(sanitizeTitle(item.title));
+            console.log('Sanitized Title: ', sanitizedTitle);
+            core.setOutput('safe-title', sanitizedTitle);
       - name: Send notifications on Pull Request
         if: ${{ github.event_name == 'pull_request'}}
         id: slack_PR
@@ -23,7 +61,7 @@ jobs:
               "Notification Type": "Pull Request",
               "Notification URL":"${{ github.event.pull_request.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.pull_request.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
@@ -37,7 +75,7 @@ jobs:
               "Notification Type": "Issue",
               "Notification URL":"${{ github.event.issue.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.issue.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
@@ -51,7 +89,7 @@ jobs:
               "Notification Type": "Issue comment",
               "Notification URL":"${{ github.event.comment.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.issue_comment.issue.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}