From 924631dccc5c242d73dc870f504b4de77e7bc65f Mon Sep 17 00:00:00 2001
From: stack72 <public@paulstack.co.uk>
Date: Fri, 3 Apr 2026 18:31:14 +0100
Subject: [PATCH] fix: validate inputs to prevent GITHUB_ENV injection

Add newline checks on api-key and swamp-club-url inputs to prevent
environment variable injection via GITHUB_ENV. Also enforce https://
scheme on swamp-club-url to prevent credentials being sent over
plaintext or to non-HTTP destinations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 action.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/action.yml b/action.yml
index 632e69d..bdb6ea9 100644
--- a/action.yml
+++ b/action.yml
@@ -56,6 +56,11 @@ runs:
       env:
         SWAMP_API_KEY: ${{ inputs.api-key }}
       run: |
+        # Reject values containing newlines to prevent GITHUB_ENV injection
+        if [[ "$SWAMP_API_KEY" == *$'\n'* ]]; then
+          echo "::error::api-key must not contain newlines"
+          exit 1
+        fi
         echo "::add-mask::${SWAMP_API_KEY}"
         echo "SWAMP_API_KEY=${SWAMP_API_KEY}" >> "$GITHUB_ENV"
 
@@ -65,6 +70,16 @@ runs:
       env:
         SWAMP_CLUB_URL: ${{ inputs.swamp-club-url }}
       run: |
+        # Reject values containing newlines to prevent GITHUB_ENV injection
+        if [[ "$SWAMP_CLUB_URL" == *$'\n'* ]]; then
+          echo "::error::swamp-club-url must not contain newlines"
+          exit 1
+        fi
+        # Validate URL scheme
+        if [[ "$SWAMP_CLUB_URL" != https://* ]]; then
+          echo "::error::swamp-club-url must use https://"
+          exit 1
+        fi
         echo "SWAMP_CLUB_URL=${SWAMP_CLUB_URL}" >> "$GITHUB_ENV"
 
     - name: Verify authentication