Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: avoid command injection and pass arguments securely #98

Merged
merged 3 commits into from
Sep 6, 2023
Merged

fix: avoid command injection and pass arguments securely #98

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b8f5709
Move from execSync to spawnSync
AvalZ Jul 17, 2023
c436174
Safe run command in the GitHub Action
AvalZ Jul 25, 2023
ce4073a
Merge branch 'main' into main
meeroslav Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,14 @@ runs:
- name: Set base and head SHAs used for nx affected
id: setSHAs
shell: bash
run: node $GITHUB_ACTION_PATH/dist/index.js ${{ github.token }} ${{ inputs.main-branch-name }} ${{ inputs.error-on-no-successful-workflow }} ${{ inputs.last-successful-event }} ${{ inputs.working-directory }} ${{ inputs.workflow-id }}
env:
gh_token: ${{ github.token }}
main_branch_name: ${{ inputs.main-branch-name }}
error_on_no_successful_workflow: ${{ inputs.error-on-no-successful-workflow }}
last_successful_event: ${{ inputs.last-successful-event }}
working_directory: ${{ inputs.working-directory }}
working_id: ${{ inputs.workflow-id }}
run: node "$GITHUB_ACTION_PATH/dist/index.js" "$gh_token" "$main_branch_name" "$error_on_no_successful_workflow" "$last_successful_event" "$working_directory" "$working_id"

- name: Log base and head SHAs used for nx affected
shell: bash
Expand Down
15 changes: 10 additions & 5 deletions find-successful-workflow.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
const { Octokit } = require("@octokit/action");
const core = require("@actions/core");
const github = require('@actions/github');
const { execSync } = require('child_process');
const { spawnSync } = require('child_process');
const { existsSync } = require('fs');

const { runId, repo: { repo, owner }, eventName } = github.context;
Expand All @@ -24,10 +24,13 @@ let BASE_SHA;
}
}

const HEAD_SHA = execSync(`git rev-parse HEAD`, { encoding: 'utf-8' });
const headResult = spawnSync('git', ['rev-parse', 'HEAD'], { encoding: 'utf-8' });
const HEAD_SHA = headResult.stdout;


if (eventName === 'pull_request') {
BASE_SHA = execSync(`git merge-base origin/${mainBranchName} HEAD`, { encoding: 'utf-8' });
const baseResult = spawnSync('git', ['merge-base', `origin/${mainBranchName}`, 'HEAD'], { encoding: 'utf-8' });
BASE_SHA = baseResult.stdout;
} else {
try {
BASE_SHA = await findSuccessfulCommit(workflowId, runId, owner, repo, mainBranchName, lastSuccessfulEvent);
Expand All @@ -47,7 +50,9 @@ let BASE_SHA;
process.stdout.write('\n');
process.stdout.write(`NOTE: You can instead make this a hard error by setting 'error-on-no-successful-workflow' on the action in your workflow.\n`);

BASE_SHA = execSync(`git rev-parse origin/${mainBranchName}~1`, { encoding: 'utf-8' });
const baseRes = spawnSync('git', ['rev-parse', `origin/${mainBranchName}~1`], { encoding: 'utf-8' });
BASE_SHA = baseRes.stdout;

core.setOutput('noPreviousBuild', 'true');
}
} else {
Expand Down Expand Up @@ -128,7 +133,7 @@ async function findExistingCommit(shas) {
*/
async function commitExists(commitSha) {
try {
execSync(`git cat-file -e ${commitSha}`, { stdio: ['pipe', 'pipe', null] });
spawnSync('git', ['cat-file', '-e', commitSha], { stdio: ['pipe', 'pipe', null] });
return true;
} catch {
return false;
Expand Down