chore: triage review findings

entrypoint.sh

@@ -11,8 +11,15 @@ section() {
 require_value() {
     local name="$1"
     local value="$2"
+    local display_value="$value"
 
-    printf '%s=%s\n' "$name" "$value"
+    case "$name" in
+        *TOKEN*|*SECRET*|*PASSWORD*|*PASS*|*KEY*)
+            display_value="***"
+            ;;
+    esac
+
+    printf '%s=%s\n' "$name" "$display_value"
 
     if [ -z "$value" ] || [ "$value" = "null" ]; then
         printf '錯誤：%s 不可為空\n' "$name" >&2
@@ -20,6 +27,33 @@ require_value() {
     fi
 }
 
+validate_release_archive() {
+    local archive="$1"
+    local archive_entries
+    local entry
+    local normalized_entry
+
+    if ! archive_entries="$(unzip -Z1 "$archive")"; then
+        printf '錯誤：無法讀取壓縮檔：%s\n' "$archive" >&2
+        exit 1
+    fi
+
+    while IFS= read -r entry; do
+        [ -z "$entry" ] && continue
+
+        normalized_entry="${entry//\\//}"
+
+        case "$normalized_entry" in
+            /*|../*|*/../*|*/..|..)
+                printf '錯誤：壓縮檔包含不安全路徑：%s\n' "$entry" >&2
+                exit 1
+                ;;
+        esac
+    done <<EOF
+$archive_entries
+EOF
+}
+
 require_index() {
     local value="$1"
 
@@ -63,6 +97,7 @@ section "解壓縮成品"
 
 rm -rf output
 mkdir -p output
+validate_release_archive "$release_name"
 unzip -q "$release_name" -d output
 printf '已解壓縮到：%s\n' "output"
 
@@ -78,14 +113,13 @@ if [ "${#nuget_packages[@]}" -eq 0 ]; then
     exit 1
 fi
 
-nuget_package="${nuget_packages[0]}"
+for nuget_package in "${nuget_packages[@]}"; do
+    printf 'NUGET_PACKAGE=%s\n' "$nuget_package"
 
-printf 'NUGET_PACKAGE=%s\n' "$nuget_package"
-
-dotnet nuget push "$nuget_package" \
-    --source "$nuget_source" \
-    --api-key "$RUNNER_TOKEN" \
-    --skip-duplicate \
-    --allow-insecure-connections
+    dotnet nuget push "$nuget_package" \
+        --source "$nuget_source" \
+        --api-key "$RUNNER_TOKEN" \
+        --skip-duplicate
+done
 
 section "完成"