From 0b5eb69f1c98b264e753e7f5fcbb223334d306ee Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Wed, 7 Aug 2024 20:24:47 +0000 Subject: [PATCH 1/5] fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/hermetic_library_generation.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index cc49d69ff..da3d4c32d 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,6 +19,9 @@ on: paths: - 'generation_config.yaml' +env: + HEAD_REF: ${{ github.head_ref }} + jobs: library_generation: # skip pull requests coming from a forked repository @@ -37,6 +40,6 @@ jobs: [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ --target_branch ${{ github.base_ref }} \ - --current_branch ${{ github.head_ref }} + --current_branch $HEAD_REF env: GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }} From aefafe293597a95eebcd18c1754c60e8241ba70c Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:35:44 -0400 Subject: [PATCH 2/5] inline repo's full_name as env var --- .github/workflows/hermetic_library_generation.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index da3d4c32d..ab23b9fec 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -16,16 +16,15 @@ name: Hermetic library generation upon generation config change through pull requests on: pull_request: - paths: - - 'generation_config.yaml' env: HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: library_generation: # skip pull requests coming from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository + if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -35,7 +34,7 @@ jobs: - name: Generate changed libraries shell: bash run: | - set -x + set -ex [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ From 19e3ef44fbcb0ffd07c02f6114cc28a91a497962 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Wed, 4 Sep 2024 15:04:57 -0400 Subject: [PATCH 3/5] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index ab23b9fec..c191bc39c 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -1,3 +1,4 @@ + # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,15 +17,16 @@ name: Hermetic library generation upon generation config change through pull requests on: pull_request: + paths: + - generation_config.yaml env: HEAD_REF: ${{ github.head_ref }} REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} jobs: library_generation: - # skip pull requests coming from a forked repository - if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -35,6 +37,10 @@ jobs: shell: bash run: | set -ex + if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then + echo "This PR comes from a fork. Generation will be skipped" + exit 0 + fi [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ From cf30f0f37f761346a248b7c359bcd5dad651c53c Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Wed, 4 Sep 2024 15:05:45 -0400 Subject: [PATCH 4/5] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index c191bc39c..ec7bf6385 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -17,8 +17,9 @@ name: Hermetic library generation upon generation config change through pull requests on: pull_request: - paths: - - generation_config.yaml + paths: + - 'generation_config.yaml' + env: HEAD_REF: ${{ github.head_ref }} From 224748bb0916dca95ee96015c3913a8a1cc3d1df Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Wed, 4 Sep 2024 15:06:23 -0400 Subject: [PATCH 5/5] Format --- .github/workflows/hermetic_library_generation.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index ec7bf6385..8b1779de5 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -1,4 +1,3 @@ - # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License");