From 95ae802ec2898b2b5e5218c52b5e796a651112b0 Mon Sep 17 00:00:00 2001 From: Eason Su Date: Wed, 15 May 2024 16:30:53 +0800 Subject: [PATCH 1/2] Avoid running malicious inputs as shell commands in Custom GitHub actions. --- .../actions/automerge-released-trunk/action.yml | 4 +++- .../actions/eslint-annotation/action.yml | 3 ++- .../actions/merge-trunk-develop-pr/action.yml | 4 ++-- .../prepare-extension-release/action.yml | 17 ++++++++++------- .../actions/prepare-node/action.yml | 6 +++--- .../actions/prepare-php/action.yml | 3 ++- .../actions/run-qit-annotate/action.yml | 13 +++++++++---- .../actions/stylelint-annotation/action.yml | 3 ++- 8 files changed, 33 insertions(+), 20 deletions(-) diff --git a/packages/github-actions/actions/automerge-released-trunk/action.yml b/packages/github-actions/actions/automerge-released-trunk/action.yml index d676dcad..60e6581a 100644 --- a/packages/github-actions/actions/automerge-released-trunk/action.yml +++ b/packages/github-actions/actions/automerge-released-trunk/action.yml @@ -11,10 +11,12 @@ runs: if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') && github.event.pull_request.user.login == 'github-actions[bot]' }} # Use the github-actions bot account to commit. # https://api.github.com/users/github-actions%5Bbot%5D + env: + HEAD_REF: ${{ github.head_ref }} run: | git config user.name github-actions[bot] git config user.email 41898282+github-actions[bot]@users.noreply.github.com git fetch origin develop trunk --unshallow --no-tags git checkout develop - git merge --no-ff origin/trunk -m "Automerge ${{ github.head_ref }} from trunk to develop" + git merge --no-ff origin/trunk -m "Automerge ${HEAD_REF} from trunk to develop" git push diff --git a/packages/github-actions/actions/eslint-annotation/action.yml b/packages/github-actions/actions/eslint-annotation/action.yml index 5c859b92..e2a684ef 100644 --- a/packages/github-actions/actions/eslint-annotation/action.yml +++ b/packages/github-actions/actions/eslint-annotation/action.yml @@ -11,8 +11,9 @@ runs: steps: # Copy formatter script to the destination file path. - shell: bash + env: + SCRIPT_DEST: ${{ inputs.formatter-dest }} run: | - SCRIPT_DEST="${{ inputs.formatter-dest }}" mkdir -p $(dirname "$SCRIPT_DEST") echo '/* eslint-disable */' > "$SCRIPT_DEST" cat "${{ github.action_path }}/eslintFormatter.cjs" >> "$SCRIPT_DEST" diff --git a/packages/github-actions/actions/merge-trunk-develop-pr/action.yml b/packages/github-actions/actions/merge-trunk-develop-pr/action.yml index 30510164..b480a11b 100644 --- a/packages/github-actions/actions/merge-trunk-develop-pr/action.yml +++ b/packages/github-actions/actions/merge-trunk-develop-pr/action.yml @@ -9,11 +9,11 @@ runs: uses: actions/github-script@v6 with: script: | - const title = '${{github.event.pull_request.title}} - Merge `trunk` to `develop`'; + const title = `${ context.payload.pull_request.title } - Merge \`trunk\` to \`develop\``; const opts = await github.rest.pulls.create( { ...context.repo, base: 'develop', head: 'trunk', title, - body: '${{ github.event.pull_request.html_url }}', + body: context.payload.pull_request.html_url, } ); diff --git a/packages/github-actions/actions/prepare-extension-release/action.yml b/packages/github-actions/actions/prepare-extension-release/action.yml index f070ca4b..6711548d 100644 --- a/packages/github-actions/actions/prepare-extension-release/action.yml +++ b/packages/github-actions/actions/prepare-extension-release/action.yml @@ -37,20 +37,25 @@ runs: steps: - name: Set release branch name id: release-vars + env: + INPUT_TYPE: ${{ inputs.type }} + INPUT_VERSION: ${{ inputs.version }} shell: bash - run: echo "branch=${{ inputs.type }}/${{ inputs.version }}" >> $GITHUB_OUTPUT + run: echo "branch=${INPUT_TYPE}/${INPUT_VERSION}" >> $GITHUB_OUTPUT - name: Prepare release commits + env: + BRANCH_NAME: ${{ steps.release-vars.outputs.branch }} shell: bash # Use the github-actions bot account to commit. # https://api.github.com/users/github-actions%5Bbot%5D run: | git config user.name github-actions[bot] git config user.email 41898282+github-actions[bot]@users.noreply.github.com - git checkout -b ${{ steps.release-vars.outputs.branch }} + git checkout -b "${BRANCH_NAME}" - git commit --allow-empty -q -m "Start \`${{ steps.release-vars.outputs.branch }}\`." - git push --set-upstream origin ${{ steps.release-vars.outputs.branch }} + git commit --allow-empty -q -m "Start \`${BRANCH_NAME}\`." + git push --set-upstream origin "${BRANCH_NAME}" - name: Create a pull request for the release id: prepare-release-pr uses: actions/github-script@v6 @@ -64,11 +69,9 @@ runs: context, github, inputs, - refName: '${{ steps.release-vars.outputs.branch }}' + refName: `${ inputs.type }/${ inputs.version }`, } ); - name: Generate summary shell: bash run: | echo "Release PR created at ${{ fromJSON(steps.prepare-release-pr.outputs.result).html_url }}" >> $GITHUB_STEP_SUMMARY - - diff --git a/packages/github-actions/actions/prepare-node/action.yml b/packages/github-actions/actions/prepare-node/action.yml index f73def4c..97dc085a 100644 --- a/packages/github-actions/actions/prepare-node/action.yml +++ b/packages/github-actions/actions/prepare-node/action.yml @@ -44,11 +44,11 @@ runs: # Install node dependencies. - shell: bash + env: + INSTALL_DEPS: ${{ inputs.install-deps }} + IGNORE_SCRIPTS: ${{ inputs.ignore-scripts }} # `actions/setup-node` should update npm cache directory if `package-lock` has changed. run: | - INSTALL_DEPS="${{ inputs.install-deps }}" - IGNORE_SCRIPTS="${{ inputs.ignore-scripts }}" - COLOR_INFO="\033[38;5;39m" COLOR_END="\033[0m" diff --git a/packages/github-actions/actions/prepare-php/action.yml b/packages/github-actions/actions/prepare-php/action.yml index d200ceee..c158a624 100644 --- a/packages/github-actions/actions/prepare-php/action.yml +++ b/packages/github-actions/actions/prepare-php/action.yml @@ -58,8 +58,9 @@ runs: # Install Composer dependencies. - shell: bash + env: + INSTALL_DEPS: ${{ inputs.install-deps }} run: | - INSTALL_DEPS="${{ inputs.install-deps }}" COMPOSER_VER=$(composer --version | awk '{ print $3 }') COLOR_INFO="\033[38;5;39m" diff --git a/packages/github-actions/actions/run-qit-annotate/action.yml b/packages/github-actions/actions/run-qit-annotate/action.yml index 2d3da5dc..0967d5c1 100644 --- a/packages/github-actions/actions/run-qit-annotate/action.yml +++ b/packages/github-actions/actions/run-qit-annotate/action.yml @@ -58,11 +58,14 @@ runs: zip: ${{ inputs.extension-file && format('--zip={0}', inputs.extension-file) || '' }} wait: ${{ inputs.wait == 'true' && '--wait' || '' }} ignore_fail: ${{ inputs.ignore-fail == 'true' && '--ignore-fail' || '' }} + type: ${{ inputs.type }} + extension: ${{ inputs.extension }} + options: ${{ inputs.options }} run: | - json=`./vendor/bin/qit run:${{ inputs.type }} \ - ${{ inputs.extension }} \ + json=`./vendor/bin/qit run:${type} \ + ${extension} \ $zip \ - ${{ inputs.options }} \ + ${options} \ $wait \ $ignore_fail \ -n \ @@ -85,8 +88,10 @@ runs: # Annotate the results according to the status, forward qit exit code. - name: Annotate and exit shell: bash + env: + type: ${{ inputs.type }} run: | - summary="${{ inputs.type }} (${{ steps.read-summary.outputs.test_run_id }}): ${{ steps.read-summary.outputs.status }} - ${{ steps.read-summary.outputs.summary }} \`qit get ${{ steps.read-summary.outputs.test_run_id }}\`"; + summary="${type} (${{ steps.read-summary.outputs.test_run_id }}): ${{ steps.read-summary.outputs.status }} - ${{ steps.read-summary.outputs.summary }} \`qit get ${{ steps.read-summary.outputs.test_run_id }}\`"; case ${{ steps.read-summary.outputs.status }} in "success") echo "::notice ::$summary" ;; diff --git a/packages/github-actions/actions/stylelint-annotation/action.yml b/packages/github-actions/actions/stylelint-annotation/action.yml index d9ebb1fb..6d68872a 100644 --- a/packages/github-actions/actions/stylelint-annotation/action.yml +++ b/packages/github-actions/actions/stylelint-annotation/action.yml @@ -11,8 +11,9 @@ runs: steps: # Copy formatter script to the destination file path. - shell: bash + env: + SCRIPT_DEST: ${{ inputs.formatter-dest }} run: | - SCRIPT_DEST="${{ inputs.formatter-dest }}" mkdir -p $(dirname "$SCRIPT_DEST") echo '/* eslint-disable */' > "$SCRIPT_DEST" cat "${{ github.action_path }}/stylelintFormatter.cjs" >> "$SCRIPT_DEST" From fdf569df280b3f5f3ca0f1d6d7938969251fd30c Mon Sep 17 00:00:00 2001 From: Eason Su Date: Wed, 15 May 2024 16:35:53 +0800 Subject: [PATCH 2/2] Avoid running malicious inputs as shell commands in the workflows for managing test builds of Custome GitHub actions. --- .github/workflows/github-actions-create-test-build.yml | 3 ++- .github/workflows/github-actions-delete-test-build.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github-actions-create-test-build.yml b/.github/workflows/github-actions-create-test-build.yml index 8cc7b1f6..2838ca14 100644 --- a/.github/workflows/github-actions-create-test-build.yml +++ b/.github/workflows/github-actions-create-test-build.yml @@ -20,9 +20,10 @@ jobs: install-deps: "no" - name: Create and commit test build + env: + BRANCH_NAME: ${{ github.ref_name }} run: | REPO_URL="${{ github.server_url }}/${{ github.repository }}" - BRANCH_NAME="${{ github.ref_name }}" TEST_BRANCH_NAME="${BRANCH_NAME}-test-build" .github/scripts/github-actions-create-and-commit-build.sh "$REPO_URL" "$BRANCH_NAME" diff --git a/.github/workflows/github-actions-delete-test-build.yml b/.github/workflows/github-actions-delete-test-build.yml index 44af5dfd..a724e84f 100644 --- a/.github/workflows/github-actions-delete-test-build.yml +++ b/.github/workflows/github-actions-delete-test-build.yml @@ -15,8 +15,9 @@ jobs: ref: trunk - name: Delete test build branch + env: + BRANCH_NAME: ${{ format('{0}-test-build', github.event.ref) }} run: | - BRANCH_NAME="${{ github.event.ref }}-test-build" REMOTE_BRANCH_NAME="origin/${BRANCH_NAME}" git fetch --prune --no-tags --depth=1 origin