From 0a2560b981364dde4c8cf8ce9d164c40669a8611 Mon Sep 17 00:00:00 2001
From: Jelle Zijlstra <jelle.zijlstra@gmail.com>
Date: Fri, 6 Mar 2026 09:18:07 -0800
Subject: [PATCH] Harden Black action version parsing (#5031)

---
 CHANGES.md                          | 7 +++++++
 action/main.py                      | 6 +++++-
 docs/integrations/github_actions.md | 5 +++++
 3 files changed, 17 insertions(+), 1 deletion(-)

Index: black-25.1.0/action/main.py
===================================================================
--- black-25.1.0.orig/action/main.py
+++ black-25.1.0/action/main.py
@@ -17,7 +17,11 @@ BLACK_ARGS = os.getenv("INPUT_BLACK_ARGS
 VERSION = os.getenv("INPUT_VERSION", default="")
 USE_PYPROJECT = os.getenv("INPUT_USE_PYPROJECT") == "true"
 
-BLACK_VERSION_RE = re.compile(r"^black([^A-Z0-9._-]+.*)$", re.IGNORECASE)
+BLACK_VERSION_RE = re.compile(
+    r"^black((?:\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)"
+    r"(?:\s*,\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)*)\s*$",
+    re.IGNORECASE,
+)
 EXTRAS_RE = re.compile(r"\[.*\]")
 EXPORT_SUBST_FAIL_RE = re.compile(r"\$Format:.*\$")
 
Index: black-25.1.0/docs/integrations/github_actions.md
===================================================================
--- black-25.1.0.orig/docs/integrations/github_actions.md
+++ black-25.1.0/docs/integrations/github_actions.md
@@ -53,6 +53,11 @@ finds files that need to be formatted.
 
 Here's an example configuration:
 
+**Security note:** `use_pyproject` only accepts standard version specifiers for `black`
+(for example `==`, `~=`, `>=` and ranges like `>=25,<26`). Direct references such as
+`black @ https://...` are not supported. If your workflow runs on untrusted pull
+requests (for example from forks), prefer setting `with.version` explicitly.
+
 ```yaml
 - uses: psf/black@stable
   with: