Security risks in OpenCV actions?

[ilya-lavrenov]

ci-gha-workflow/.github/workflows/OCV-Contrib-PR-3.4-ARM64.yaml

Lines 57 to 60 in 8578610

	echo "PR Author: ${{ env.PR_AUTHOR }}"
	echo "PR Author fork: ${{ env.PR_AUTHOR_FORK }}"
	echo "Source branch name: ${{ env.SOURCE_BRANCH_NAME }}"
	echo "Target branch name: ${{ env.TARGET_BRANCH_NAME }}"

Is it safe to use injections here via env var? I suppose once SOURCE_BRANCH_NAME and other env vars are created, they should be referenced simply as $SOURCE_BRANCH_NAME, otherwise it may not have proper effect.

Please, see Remediation section as a reference.

[Thakor-Yashpal]

Hi, I see this security issue is still open. It looks like @asmorkalov is assigned, but it's been a while. If this is still looking for a fix, I'd be happy to investigate and submit a pull request to address the potential injection risks. Please let me know if I can help!