github-upload-action-secrets: input validation

Make sure --receiver refers to a valid org or repository.
cockpit-project · allisonkarlitskaya · Jul 9, 2021 · Jul 8, 2021 · Jul 8, 2021 · Jul 8, 2021
commit 6dd849493fd198df85079980456a6191ee26c6f9
diff --git a/github-upload-action-secrets b/github-upload-action-secrets
@@ -31,6 +31,7 @@
 
 import argparse
 import os
+import re
 import sys
 import urllib.parse
 from base64 import b64encode
@@ -65,6 +66,12 @@ def main():
     parser.add_argument("secrets_dir", help="directory with one file per secret")
     opts = parser.parse_args()
 
+    NAME_RE = r'[a-z][-0-9a-z_.]*'
+    REPO_RE = f'{NAME_RE}/{NAME_RE}'
+
+    if opts.receiver and not re.fullmatch(f'{NAME_RE}|{REPO_RE}', opts.receiver, re.I):
+        parser.error('--receiver specifies an invalid org or repository name')
+
     if not opts.receiver:
         if not opts.env:
             # get organization of the current repo, if available