From 756c3ea0de3df201a408b2090eaca7e955c67c9f Mon Sep 17 00:00:00 2001
From: "Fred K. Schott" <fkschott@gmail.com>
Date: Wed, 5 Jul 2023 21:37:28 -0700
Subject: [PATCH] Update benchmark.yml

---
 .github/workflows/benchmark.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 89934f492..49d566553 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -43,8 +43,11 @@ jobs:
 
       - name: Get bench command
         id: bench-command
+        env:
+          # protects from untrusted user input and command injection
+          COMMENT: ${{ github.event.comment.body }}
         run: |
-          benchcmd=$(echo "${{ github.event.comment.body }}" | grep '!bench' | awk -F ' ' '{print $2}')
+          benchcmd=$(echo "$COMMENT" | grep '!bench' | awk -F ' ' '{print $2}')
           echo "bench=$benchcmd" >> $GITHUB_OUTPUT
         shell: bash