From 7dfca51f6f10dad69539ec391f86bc61a71a7662 Mon Sep 17 00:00:00 2001
From: Jordan <128091138+jrichy1@users.noreply.github.com>
Date: Mon, 14 Oct 2024 01:46:35 -0400
Subject: [PATCH] Fix code scanning alert no. 2: Regular expression injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Jordan <128091138+jrichy1@users.noreply.github.com>
---
 package.json | 3 ++-
 src/input.ts | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index e9f04124..9633b2da 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,8 @@
   },
   "dependencies": {
     "@actions/core": "1.10.1",
-    "@actions/exec": "1.1.1"
+    "@actions/exec": "1.1.1",
+    "lodash": "^4.17.21"
   },
   "devDependencies": {
     "@commitlint/cli": "19.5.0",
diff --git a/src/input.ts b/src/input.ts
index 3b8c8791..5f837608 100644
--- a/src/input.ts
+++ b/src/input.ts
@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
 import path from 'path';
+import _ from 'lodash';
 
 interface EnvironmentVariable {
   key: string;
@@ -29,7 +30,7 @@ class Input {
   constructor() {
     const envRegexInput = core.getInput('env-regex');
     const envRegex = envRegexInput
-      ? new RegExp(envRegexInput)
+      ? new RegExp(_.escapeRegExp(envRegexInput))
       : this.options.envRegex;
     this._environmentVariables = new Map(
       Object.entries(process.env)