mirror of
https://github.com/actions-rust-lang/rustfmt.git
synced 2025-12-27 01:54:20 -05:00
50 lines
1.5 KiB
Markdown
50 lines
1.5 KiB
Markdown
# Changelog
|
|
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
|
|
## [Unreleased]
|
|
|
|
## [1.1.2] - 2025-12-14
|
|
|
|
### Fixed
|
|
|
|
* Fixed a command injection vulnerability via the `manifest-path` input parameter.
|
|
|
|
The code was using GitHub action templates to inject the value directly into the shell command, which does not perform the necessary escaping.
|
|
For fixing the issue, the value is passed via an environment variable, which performs the proper escaping.
|
|
This is only an issue if the `manifest-path` parameter was set from some other untrusted source.
|
|
Using a static string to call the action is safe.
|
|
|
|
Thanks to @mleblebici for reporting and fixing the issue.
|
|
|
|
## [1.1.1] - 2024-10-01
|
|
|
|
### Fixed
|
|
|
|
* Parse the new rustfmt file and line number format
|
|
|
|
The format changed in https://github.com/rust-lang/rustfmt/pull/5971
|
|
|
|
Thanks to @0xcypher02 for pointing out the problem.
|
|
|
|
## [1.1.0] - 2022-11-21
|
|
|
|
### Added
|
|
|
|
* Add the input `manifest-path` to set the `--manifest-path` argument of rustfmt. #1
|
|
This allows formatting any cargo project in the repository independent of the location.
|
|
|
|
## [1.0.1] - 2022-10-13
|
|
|
|
### Changed
|
|
|
|
* Switch from set-output to $GITHUB_OUTPUT to avoid warning
|
|
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
|
|
|
|
## [1.0.0] - 2022-07-19
|
|
|
|
Initial Version
|