fix: prevent DecodeOptions.listLimit bypass in bracket notation to mitigate potential DoS via memory exhaustion
#92
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish package (dry run) | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| PUB_ENVIRONMENT: bot.github | |
| concurrency: | |
| group: publish-dry-run-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| get_base_version: | |
| name: "Get base version" | |
| runs-on: ubuntu-latest | |
| outputs: | |
| BASE_VERSION: ${{ steps.load_base_version.outputs.BASE_VERSION }} | |
| steps: | |
| - uses: actions/cache@v5 | |
| with: | |
| path: "~/.pub-cache/hosted" | |
| key: "os:ubuntu-latest;pub-cache-hosted;sdk:stable;packages:qs_dart;commands:get_base_version" | |
| restore-keys: | | |
| os:ubuntu-latest;pub-cache-hosted;sdk:stable;packages:qs_dart | |
| os:ubuntu-latest;pub-cache-hosted;sdk:stable | |
| os:ubuntu-latest;pub-cache-hosted | |
| os:ubuntu-latest | |
| - uses: dart-lang/setup-dart@v1 | |
| with: | |
| sdk: stable | |
| - id: checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| - name: Load base version | |
| id: load_base_version | |
| run: | | |
| set -e | |
| echo "BASE_VERSION=$(awk '/^version: / {print $2}' pubspec.yaml)" >> $GITHUB_OUTPUT | |
| publish_dry_run: | |
| name: "Publish DRY RUN" | |
| needs: get_base_version | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/cache@v5 | |
| with: | |
| path: "~/.pub-cache/hosted" | |
| key: "os:ubuntu-latest;pub-cache-hosted;sdk:stable;packages:qs_dart;commands:get_base_version" | |
| restore-keys: | | |
| os:ubuntu-latest;pub-cache-hosted;sdk:stable;packages:qs_dart | |
| os:ubuntu-latest;pub-cache-hosted;sdk:stable | |
| os:ubuntu-latest;pub-cache-hosted | |
| os:ubuntu-latest | |
| - uses: dart-lang/setup-dart@v1 | |
| with: | |
| sdk: stable | |
| - id: checkout | |
| uses: actions/checkout@v6 | |
| - name: Load this version | |
| id: load_this_version | |
| run: | | |
| set -e | |
| echo "THIS_VERSION=$(awk '/^version: / {print $2}' pubspec.yaml)" >> $GITHUB_ENV | |
| - name: Compare versions | |
| id: compare_versions | |
| env: | |
| BASE_VERSION: ${{ needs.get_base_version.outputs.BASE_VERSION }} | |
| run: | | |
| set -e | |
| pushd scripts || exit | |
| dart pub get | |
| echo "IS_VERSION_GREATER=$(dart run compare_versions.dart $THIS_VERSION $BASE_VERSION)" >> $GITHUB_ENV | |
| popd || exit | |
| - name: Validate pub.dev topics | |
| id: validate_pub_dev_topics | |
| run: | | |
| set -e | |
| pattern="^[a-z][a-z0-9-]*[a-z0-9]$" | |
| for topic in $(yq -r '.topics[]' pubspec.yaml); do | |
| if [[ ! $topic =~ $pattern ]]; then | |
| echo "Invalid topic: $topic" | |
| exit 1 | |
| fi | |
| done | |
| - name: Publish (dry run) | |
| id: publish_dry_run | |
| if: ${{ env.IS_VERSION_GREATER == 1 }} | |
| run: dart pub publish --dry-run | |
| - name: Skip publish (dry run) | |
| id: skip_publish_dry_run | |
| if: ${{ env.IS_VERSION_GREATER == 0 }} | |
| run: echo "Skipping publish (dry run) because the version is not greater than the one on pub.dev" |