Command Injection via the `.env` file

[nikitastupin]

Hi @c-py,

The action is vulnerable to a command injection vulnerability. This makes workflows that use the action in pull_request_target and other contexts with read/write access vulnerable.

You may contact me @nikitastupin on Telegram or _nikitastupin on Twitter if you have questions or doubts.

P.S. I tried to find a private channel of communication with no luck so the only way was to fill the issue publicly.

Steps to Reproduce

Create the .env file with the following contents:

TEST='"; echo "untrusted code execution!" >&2 #'

Run ./dotenv.sh script. You should see the following output:

untrusted code execution!
dotenv.sh: line 66: $GITHUB_ENV: ambiguous redirect

Remediation

I would suggest to avoid using eval as part of the action logic.