From b9751a05355f01a19fc13718a129ad6b6e621e36 Mon Sep 17 00:00:00 2001
From: Pavlo Bashynskyi <levonet@gmail.com>
Date: Mon, 19 Aug 2024 16:42:54 +0300
Subject: [PATCH] Fix Remote code execution (#24)

---
 .github/workflows/droid.yml | 11 +++++++++--
 test/assets/echo.js         |  5 +++++
 2 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 test/assets/echo.js

diff --git a/.github/workflows/droid.yml b/.github/workflows/droid.yml
index 263f044..22718ab 100644
--- a/.github/workflows/droid.yml
+++ b/.github/workflows/droid.yml
@@ -29,10 +29,17 @@ jobs:
         description: 'true'
 
     - if: ${{ steps.c-3po.outputs.is-hello }}
-      run: echo "${{ steps.c-3po.outputs.has-hello }}, it is you, it Is You!"
+      run: node ./test/assets/echo.js
+      env:
+        INPUTS_ARG1: "${{ steps.c-3po.outputs.has-hello }}"
+        INPUTS_ARG2: ", it is you, it Is You!"
 
     - if: ${{ steps.c-3po.outputs.is-chances && steps.c-3po.outputs.has-chances-survival }}
-      run: echo "R2 says the chances of survival are ${{ steps.c-3po.outputs.has-chances-survival }}... to one"
+      run: node ./test/assets/echo.js"
+      env:
+        INPUTS_ARG1: "R2 says the chances of survival are"
+        INPUTS_ARG2: "${{ steps.c-3po.outputs.has-chances-survival }}"
+        INPUTS_ARG3: "... to one"
 
     - if: ${{ steps.c-3po.outputs.is-chances && steps.c-3po.outputs.has-chances-win > 0 }}
       run: echo "We'll take the next chance, and the next."
diff --git a/test/assets/echo.js b/test/assets/echo.js
new file mode 100644
index 0000000..675fbb4
--- /dev/null
+++ b/test/assets/echo.js
@@ -0,0 +1,5 @@
+const core = require('@actions/core')
+
+const args = [process.env.INPUTS_ARG1, process.env.INPUTS_ARG2, process.env.INPUTS_ARG3]
+
+core.info(args.join(' '))