mirror of
https://github.com/actions-rust-lang/rustfmt.git
synced 2025-12-27 01:54:20 -05:00
Update changelog
This commit is contained in:
Jonas Bushart
13
CHANGELOG.md
13
CHANGELOG.md
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
## [1.1.2] - 2025-12-14
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* Fixed a command injection vulnerability via the `manifest-path` input parameter.
|
||||||
|
|
||||||
|
The code was using GitHub action templates to inject the value directly into the shell command, which does not perform the necessary escaping.
|
||||||
|
For fixing the issue, the value is passed via an environment variable, which performs the proper escaping.
|
||||||
|
This is only an issue if the `manifest-path` parameter was set from some other untrusted source.
|
||||||
|
Using a static string to call the action is safe.
|
||||||
|
|
||||||
|
Thanks to @mleblebici for reporting and fixing the issue.
|
||||||
|
|
||||||
## [1.1.1] - 2024-10-01
|
## [1.1.1] - 2024-10-01
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|||||||
Reference in New Issue
Block a user