Update pipeline to use reusable witness workflow #78
Conversation
Signed-off-by: John Kjell <[email protected]>
Signed-off-by: John Kjell <[email protected]>
Signed-off-by: John Kjell <[email protected]>
| with: | ||
| step: ${{ inputs.step }} | ||
| attestations: $${ inputs.attestations }} | ||
| command: /bin/sh -c "$${ inputs.command }}" |
There was a problem hiding this comment.
I think there is a potential for a script injection attack. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack
Here is a suggestion
- if: ${{ inputs.pull_request == false }}
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
env:
INPUT_COMMAND: ${{ inputs.command }}
with:
step: ${{ inputs.step }}
attestations: $${ inputs.attestations }}
command: /bin/sh -c "$INPUT_COMMAND"
There was a problem hiding this comment.
This is something that in general caught my attention as I've been familiarizing myself with Witness and some of the pipeline examples.
I have thoughts on how this could be solved, though it's possible its over-engineering so it would be better to discuss it elsewhere. I can create a feature issue if that is what would be most appropriate for internal assessment || community discussion.
EDIT: As @mikhailswift pointed out though, it's likely most if not all scenarios like this may not be vulnerable in a meaningful way. That said, there may be something to be said about creating a more streamlined secure way of implementing pipeline job scripts in general for orgs/devs who may not have the same level of insight into issues such as this.
There was a problem hiding this comment.
i think this looks good to fix the problem.
I'm not 100% certain, so if someone has strong objections, please vocalize them, but I don't believe how we're handling inputs.command here is susceptible to injection in a meaningful way. Since inputs.command is coming directly from the workflow file and not from a source such as a pull request title or some other arbitrary source, any injection here would have to happen by modifying the workflow yaml directly.
| attestations: $${ inputs.attestations }} | ||
| command: /bin/sh -c "$${ inputs.command }}" |
There was a problem hiding this comment.
Can I ask, does the $${ ... }} have special meaning here? A little thrown off by the imbalanced curly braces and double $$ as I'm unfamiliar with any special context they have in GitHub workflows and I was unable to find any documentation after a thorough search. I know GitLab uses it to escape another $ for when auto variable expansion is enabled. Also that shell itself uses it as a PID reference.
It seems to be getting interpolated as expected by the action so I assume either there's some special meaning, or its auto escaping these special characters through some means. Or maybe I'm wildly missing something... 😅
There was a problem hiding this comment.
Nope, this was just wrong. 😅 And I deleted the branch too fast to fix it here. 😞
This should also resolve issue with forks generating attestations (by not generating attestations on PRs)