From 08a0b0ad85efe229751e95918cd4cb1b24bff814 Mon Sep 17 00:00:00 2001 From: Andrea Valenza Date: Wed, 6 Sep 2023 13:32:14 +0200 Subject: [PATCH] fix: avoid command injection and pass arguments securely (#98) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Miroslav Jonaš --- action.yml | 9 ++++++++- find-successful-workflow.js | 15 ++++++++++----- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/action.yml b/action.yml index ad73af3..0a0cd63 100644 --- a/action.yml +++ b/action.yml @@ -37,7 +37,14 @@ runs: - name: Set base and head SHAs used for nx affected id: setSHAs shell: bash - run: node $GITHUB_ACTION_PATH/dist/index.js ${{ github.token }} ${{ inputs.main-branch-name }} ${{ inputs.error-on-no-successful-workflow }} ${{ inputs.last-successful-event }} ${{ inputs.working-directory }} ${{ inputs.workflow-id }} + env: + gh_token: ${{ github.token }} + main_branch_name: ${{ inputs.main-branch-name }} + error_on_no_successful_workflow: ${{ inputs.error-on-no-successful-workflow }} + last_successful_event: ${{ inputs.last-successful-event }} + working_directory: ${{ inputs.working-directory }} + working_id: ${{ inputs.workflow-id }} + run: node "$GITHUB_ACTION_PATH/dist/index.js" "$gh_token" "$main_branch_name" "$error_on_no_successful_workflow" "$last_successful_event" "$working_directory" "$working_id" - name: Log base and head SHAs used for nx affected shell: bash diff --git a/find-successful-workflow.js b/find-successful-workflow.js index ca622fe..7700a5f 100644 --- a/find-successful-workflow.js +++ b/find-successful-workflow.js @@ -1,7 +1,7 @@ const { Octokit } = require("@octokit/action"); const core = require("@actions/core"); const github = require('@actions/github'); -const { execSync } = require('child_process'); +const { spawnSync } = require('child_process'); const { existsSync } = require('fs'); const { runId, repo: { repo, owner }, eventName } = github.context; @@ -24,10 +24,13 @@ let BASE_SHA; } } - const HEAD_SHA = execSync(`git rev-parse HEAD`, { encoding: 'utf-8' }); + const headResult = spawnSync('git', ['rev-parse', 'HEAD'], { encoding: 'utf-8' }); + const HEAD_SHA = headResult.stdout; + if (['pull_request','pull_request_target'].includes(eventName)) { - BASE_SHA = execSync(`git merge-base origin/${mainBranchName} HEAD`, { encoding: 'utf-8' }); + const baseResult = spawnSync('git', ['merge-base', `origin/${mainBranchName}`, 'HEAD'], { encoding: 'utf-8' }); + BASE_SHA = baseResult.stdout; } else { try { BASE_SHA = await findSuccessfulCommit(workflowId, runId, owner, repo, mainBranchName, lastSuccessfulEvent); @@ -47,7 +50,9 @@ let BASE_SHA; process.stdout.write('\n'); process.stdout.write(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`); - BASE_SHA = execSync(`git rev-parse origin/${mainBranchName}~1`, { encoding: 'utf-8' }); + const baseRes = spawnSync('git', ['rev-parse', `origin/${mainBranchName}~1`], { encoding: 'utf-8' }); + BASE_SHA = baseRes.stdout; + core.setOutput('noPreviousBuild', 'true'); } } else { @@ -128,7 +133,7 @@ async function findExistingCommit(shas) { */ async function commitExists(commitSha) { try { - execSync(`git cat-file -e ${commitSha}`, { stdio: ['pipe', 'pipe', null] }); + spawnSync('git', ['cat-file', '-e', commitSha], { stdio: ['pipe', 'pipe', null] }); return true; } catch { return false;