Skip to content

Releases: actions-rust-lang/rustfmt

v1.1.2

14 Dec 19:54
4066006

Choose a tag to compare

What's Changed

Fixed

  • Fixed a command injection vulnerability via the manifest-path input parameter.

    The code was using GitHub action templates to inject the value directly into the shell command, which does not perform the necessary escaping.
    For fixing the issue, the value is passed via an environment variable, which performs the proper escaping.
    This is only an issue if the manifest-path parameter was set from some other untrusted source.
    Using a static string to call the action is safe.

    Thanks to @mleblebici for reporting and fixing the issue.

New Contributors

Full Changelog: v1.1.1...v1.1.2

v1.1.1

01 Oct 20:57
559aa30

Choose a tag to compare

Fixed

Full Changelog: v1...v1.1.1

v1.1.0

21 Nov 20:51
2d1d4e9

Choose a tag to compare

Merge pull request #2 from actions-rust-lang/add-manifest-path

v1.0.1

13 Oct 19:00

Choose a tag to compare

Switch from set-output to $GITHUB_OUTPUT

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

v1.0.0

19 Jul 17:50

Choose a tag to compare

Ensure releases are properly tagged