Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve security of github action #1822

Closed
wants to merge 2 commits into from
Closed

Improve security of github action #1822

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c85082
Improve security of github action
bookernath Dec 31, 2024
9364dcf
Merge branch 'main' into CATALYST-768
bookernath Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions .github/workflows/translations-changeset.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,27 @@ jobs:
create-translations-patch:
if: github.actor == 'bc-svc-local'
runs-on: ubuntu-latest
# Add permissions block to limit token scope
permissions:
contents: write
pull-requests: write

steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 2

- name: Validate inputs
id: validate
run: |
# Validate ref name against allowed pattern (alphanumeric, dash, underscore, and forward slash only)
if ! [[ "${{ github.event.pull_request.head.ref }}" =~ ^[a-zA-Z0-9/_-]+$ ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this line i think we should still env the ${{ github.event.pull_request.head.ref }} as if you enter something like "]]asdf" it can escape the shell condition which can lead to RCE.

Using intermediate env vars like here: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable should treat any special characters as escaped which we can safely use later

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could use the default environment variable GITHUB_HEAD_REF instead? Should probably have the same escaped value 🤔

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables

echo "Error: Invalid branch name format"
exit 1
fi
echo "ref=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT

- name: Use commit SHA for filename
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this removed intentionally?

id: generate-sha
run: |
Expand All @@ -44,8 +58,18 @@ jobs:
git add .changeset/translations-patch-$SHORT_SHA.md
git commit -m "chore(core): create translations patch"

- name: Push changeset
- name: Push changes
uses: actions/github-script@v7
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} HEAD:${{ github.event.pull_request.head.ref }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { repo, owner } = context.repo;
const ref = '${{ steps.validate.outputs.ref }}';

await exec.exec('git', [
'push',
`https://x-access-token:${process.env.GITHUB_TOKEN}@github.com/${owner}/${repo}`,
`HEAD:${ref}`
]);
Loading