From 51326f3698664de4a426aa4d3bfda93d7226a692 Mon Sep 17 00:00:00 2001
From: Vasyl Spachynskyi <vasyl.spachynskyi@dataart.com>
Date: Mon, 27 Jan 2025 12:13:40 +0200
Subject: [PATCH] Fix potential command injection which can lead to RCE via
 compromised `version`.

---
 .github/workflows/branch_snapshot.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/branch_snapshot.yml b/.github/workflows/branch_snapshot.yml
index 79ac0cdb06..3e4f3e0550 100644
--- a/.github/workflows/branch_snapshot.yml
+++ b/.github/workflows/branch_snapshot.yml
@@ -35,8 +35,9 @@ jobs:
           java-version: 17
           cache: 'gradle'
       - name: Build snapshot
-        run: ./gradlew build snapshot -Prelease.version=${{ github.event.inputs.version }}
+        run: ./gradlew build snapshot -Prelease.version="$BUILD_VERSION"
         env:
+          BUILD_VERSION: ${{ github.event.inputs.version }}
           NETFLIX_OSS_SIGNING_KEY: ${{ secrets.ORG_SIGNING_KEY }}
           NETFLIX_OSS_SIGNING_PASSWORD: ${{ secrets.ORG_SIGNING_PASSWORD }}
           NETFLIX_OSS_REPO_USERNAME: ${{ secrets.ORG_NETFLIXOSS_USERNAME }}