From 2bad5c225afab1a08fc99de85cb5f40c5f65788a Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 8 Aug 2024 18:06:21 +0000 Subject: [PATCH 1/5] fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/hermetic_library_generation.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 75183c6739..8b479f3a45 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -17,6 +17,9 @@ name: Hermetic library generation upon generation config change through pull req on: pull_request: +env: + HEAD_REF: ${{ github.head_ref }} + jobs: library_generation: # skip pull requests come from a forked repository @@ -35,6 +38,6 @@ jobs: [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ --target_branch ${{ github.base_ref }} \ - --current_branch ${{ github.head_ref }} + --current_branch $HEAD_REF env: GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }} From baa73996885fd756dac1c38ef6d7287fe0b6539a Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:22:35 -0400 Subject: [PATCH 2/5] inline forked repo check --- .github/workflows/hermetic_library_generation.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 8b479f3a45..3efd23f6c1 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,11 +19,12 @@ on: env: HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: library_generation: - # skip pull requests come from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository + # skip pull requests come from a forked repository + if: ${{ env.REPO_FULL_NAME }} == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 3de621e2deb076c9c2831096921b752468081665 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:23:44 -0400 Subject: [PATCH 3/5] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 3efd23f6c1..bb91c8e294 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests come from a forked repository - if: ${{ env.REPO_FULL_NAME }} == github.repository + if: ${{ github.env.REPO_FULL_NAME }} == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 7dfd3eb517aff2e24888ad320774db945f2f9ad0 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:27:52 -0400 Subject: [PATCH 4/5] remove unnecessary variable evaluation token --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index bb91c8e294..35b3776d42 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -24,7 +24,7 @@ env: jobs: library_generation: # skip pull requests come from a forked repository - if: ${{ github.env.REPO_FULL_NAME }} == github.repository + if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From ff3609ae867e42ee300b38de7994210060dd752a Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:37:45 -0400 Subject: [PATCH 5/5] fix wording --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 35b3776d42..7b982df899 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -23,7 +23,7 @@ env: jobs: library_generation: - # skip pull requests come from a forked repository + # skip pull requests coming from a forked repository if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: