Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid running malicious inputs as shell commands in Custom GitHub actions and relate workflows #131

Merged
merged 2 commits into from
May 16, 2024
Merged

Avoid running malicious inputs as shell commands in Custom GitHub actions and relate workflows #131

merged 2 commits into from
May 16, 2024

Conversation

eason9487
Copy link
Member

@eason9487 eason9487 commented May 15, 2024
edited
Loading

Changes proposed in this Pull Request:

This PR avoids running malicious inputs as shell commands in the GitHub Actions.

Although the most input values are entered by devs who have access to their repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.

Ref: https://securitylab.github.com/research/github-actions-untrusted-input/

Detailed test instructions:

📌 Workflows for managing test build

  1. View the run result of "Create Test Build"
    image
  2. View the run result of "Delete Test Build"
    image

📌 automerge-released-trunk action

I don't prepare a test for this as it uses the same fix as woocommerce/google-listings-and-ads#2394

📌 eslint-annotation and stylelint-annotation actions

  1. View the test workflow run used fixed eslint-annotation and stylelint-annotation actions
    image
    • This run failed on purpose to test if it can report JS and CSS linting errors
  2. View linting annotations in the test PR
    image
    image

📌 prepare-extension-release action

  1. View the test workflow run used fixed action
    1
  2. View the new release PR created by this action

📌 merge-trunk-develop-pr actions

  1. View the test workflow run used fixed action
    image
  2. View the merging back PR created by this action

📌 prepare-node and prepare-php actions

  1. View the run result of "Create Test Build" as it also use the prepare-node action.
    image
  2. The prepare-php action uses the same fix so I believe it should work as well.

📌 run-qit-annotate action

  1. View the commit 3393d60 triggered a workflow run to validate the run-qit-annotate action of this PR
  2. View the result of the test workflow run
    image
    image

@eason9487 eason9487 requested a review from a team May 15, 2024 10:41
@eason9487 eason9487 self-assigned this May 15, 2024
@eason9487
Copy link
Member Author

I will be merging this PR in about 3 hours if it's not moved to the in-review status as code review can be optional for a devs-facing only change.

@eason9487 eason9487 merged commit bb2b681 into trunk May 16, 2024
1 check passed
@eason9487 eason9487 deleted the fix/avoid-actions-malicious-input branch May 16, 2024 09:40
@github-actions github-actions bot mentioned this pull request May 16, 2024
Merged
2 tasks
eason9487 added a commit that referenced this pull request May 16, 2024
@eason9487
Merge pull request #131 from woocommerce/fix/avoid-actions-malicious-…
1925b14 
…input

Avoid running malicious inputs as shell commands in Custom GitHub actions and relate workflows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@eason9487 eason9487

Labels
[actions] changelog: fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@eason9487