Skip to content

Support spaces in file names#322

Open
akohout-hai wants to merge 1 commit intorojopolis:masterfrom
akohout-hai:master
Open

Support spaces in file names#322
akohout-hai wants to merge 1 commit intorojopolis:masterfrom
akohout-hai:master

Conversation

@akohout-hai
Copy link

@akohout-hai akohout-hai commented Feb 19, 2026

Currently, spaces in file names as mentioned in the Readme do not work due to word splitting in the entrypoint.
With these changes, the spell checker correctly processes files with spaces.

@akohout-hai akohout-hai requested a review from jonasbn as a code owner February 19, 2026 17:11
@jonasbn jonasbn requested a review from Copilot February 23, 2026 12:26
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements support for file names containing spaces in the spellcheck GitHub Action. The changes convert the SOURCES_LIST variable from string concatenation to a bash array, which properly preserves spaces in file paths and prevents word splitting issues that would otherwise cause the action to fail when processing files with spaces in their names.

Changes:

  • Convert SOURCES_LIST from string to bash array to handle spaces in file names
  • Update array append operations to use proper bash array syntax with quoted elements
  • Replace string emptiness checks with array length checks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

entrypoint.sh
if [ -n "$INPUT_OUTPUT_FILE" ] && [ -n "$SOURCES_LIST" ]; then
$COMMAND --config "$SPELLCHECK_CONFIG_FILE" --spellchecker "$SPELL_CHECKER" $TASK_NAME $SOURCES_LIST | tee "$INPUT_OUTPUT_FILE"
if [ -n "$INPUT_OUTPUT_FILE" ] && [ "${#SOURCES_LIST[@]}" -gt 0 ]; then
$COMMAND --config "$SPELLCHECK_CONFIG_FILE" --spellchecker "$SPELL_CHECKER" $TASK_NAME "${SOURCES_LIST[@]}" | tee "$INPUT_OUTPUT_FILE"
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Variable TASK_NAME is derived directly from the untrusted action input INPUT_TASK_NAME and then expanded unquoted in the shell command at this line. If a workflow passes attacker-controlled data into task_name (for example using PR titles or other user input), shell metacharacters like $(...) or backticks in the value will be interpreted by the shell, allowing arbitrary commands to execute in the GitHub Actions runner. To prevent command injection, avoid interpolating untrusted input into a shell command string and instead pass it as a separately quoted argument (for example by building an argument list such as TASK_NAME_ARGS=(--name "$INPUT_TASK_NAME") and expanding it as "${TASK_NAME_ARGS[@]}").

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@jonasbn jonasbn Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akohout-hai what do you think about the suggestion from copilot, it follows your implementation pattern, so it would be okay IMHO. And I believe it is necessary to address the unsafe TASK_NAME

@jonasbn jonasbn added the enhancement New feature or request label Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jonasbn jonasbn Awaiting requested review from jonasbn jonasbn is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akohout-hai @jonasbn