Fix potential regex injection from user-provided version_prefix

Author: RaumZeit

src/index.js

@@ -41,10 +41,10 @@ async function extractReleaseNotes(changelogFile, prerelease, versionPrefix, hea
     })
     const lines = []
     let inside_release = false
-    const header_level = (Number.isInteger(headerLevel) && (headerLevel > 0) && (headerLevel < 7)) ? headerLevel : 2
+    const header_level = (Number.isInteger(headerLevel) && (headerLevel > 0) && (headerLevel < 7)) ? +headerLevel : 2
     const level_match_regex = "^#{" + header_level + "}\\s+"
     const levelup_match_regex = (header_level > 1) ? "^#{1," + (header_level - 1) + "}\\s+" : level_match_regex
-    const version_match_regex = "\\[" + versionPrefix + "\\s*[0-9]"
+    const version_match_regex = "\\[" + escapeRegex(versionPrefix) + "\\s*[0-9]"
     const unreleases_match_regex = "\\[Unreleased\\]"
     core.debug(`version_match_regex: '${version_match_regex}'`)
     core.debug(`unrelease_match_regex: '${unreleases_match_regex}'`)
@@ -93,3 +93,7 @@ function writeReleaseNotesFile(releaseNotesFile, releaseNotes) {
         })
     }
 }
+
+function escapeRegex(string) {
+    return string.replace(/[/\-\\^$*+?.()|[\]{}]/g, '\\$&');
+}