fix: avoid using comment body directly (#8851)

matifali · web-flow · commit f7327dd2c6e6 · 2023-08-02T22:19:17.000+03:00
diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml
@@ -234,9 +234,19 @@ jobs:
           if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
             experiments=${{ github.event.inputs.experiments }}
           else
-            experiments=$(echo "${{ github.event.comment.body }}" | grep -oP '(?<=--experiments )[^ ]+')
+            # extract experiments part
+            extracted_experiments=$(echo "$COMMENT_BODY" | grep -oP '(?<=--experiments )[^ ]+')
+            # Validate that the experiments is a comma-separated list of alphanumeric strings, "*", or "-"
+            if [[ $extracted_experiments =~ ^[a-zA-Z0-9_*,\"-]+$ ]]; then
+              experiments=$extracted_experiments
+            else
+              echo "Invalid input: $extracted_experiments"
+              exit 1
+            fi
           fi
           echo "experiments=$experiments" >> $GITHUB_OUTPUT
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body || '' }}
 
       - name: Create values.yaml
         run: |
