From c7fc640ec4f6528648f0bb3389b257dedfc14672 Mon Sep 17 00:00:00 2001 From: pputman12 Date: Wed, 11 Dec 2024 21:04:52 -0600 Subject: [PATCH 1/2] Remediate Shell Script Injection Vulnerability Using github actions inputs inside of a shell script leaves github actions vulnerable to shell script injection attacks. Moving the inputs into env variables first and then using them in the shell script remediates this problem --- .github/workflows/helm_deploy_dispatch.yml | 30 +++++++++++++--------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/helm_deploy_dispatch.yml b/.github/workflows/helm_deploy_dispatch.yml index a736868106ca..325c6e6ab42e 100644 --- a/.github/workflows/helm_deploy_dispatch.yml +++ b/.github/workflows/helm_deploy_dispatch.yml @@ -47,46 +47,52 @@ jobs: service-account: ${{ steps.set-config.outputs.service-account }} steps: - id: set-config + env: + ACTION: "${{ github.event.inputs.action }}" + DEPLOYMENT: "${{ github.event.inputs.deployment }}" + CHANGE-CAUSE: "${{ github.event.inputs.change-cause }}" + USE-BRANCH-COMMIT: "${{ github.event.inputs.use-branch-commit }}" + run: | # SERVICE_ACCOUNT_SUFFIX="-ro" SERVICE_ACCOUNT_SUFFIX="" [ "${{ github.ref_name }}" == master ] && SERVICE_ACCOUNT_SUFFIX="" - if [ "${{ github.event.inputs.action }}" == apply ] && [ "${{ github.event.inputs.deployment }}" != rc1staging ] && [ "${{ github.ref_name }}" != master ]; then + if [ "${{ env.ACTION }}" == apply ] && [ "${{ env.DEPLOYMENT }}" != rc1staging ] && [ "${{ github.ref_name }}" != master ]; then echo "ERROR: Only the master branch can be deployed to non-rc1staging environments" exit 1 fi - if [ "${{ github.event.inputs.deployment }}" == "cannoli" ]; then + if [ "${{ env.DEPLOYMENT }}" == "cannoli" ]; then echo "cluster=cannoli" >> "$GITHUB_OUTPUT" echo "project=cannoli-380909" >> "$GITHUB_OUTPUT" echo "cluster-location=us-west1-a" >> "$GITHUB_OUTPUT" echo "service-account=deploy-helm-cannoli${SERVICE_ACCOUNT_SUFFIX}@cannoli-380909.iam.gserviceaccount.com" >> "$GITHUB_OUTPUT" - elif [ "${{ github.event.inputs.deployment }}" == "rc1staging" ]; then + elif [ "${{ env.DEPLOYMENT }}" == "rc1staging" ]; then echo "cluster=rc1staging" >> "$GITHUB_OUTPUT" echo "project=celo-testnet-production" >> "$GITHUB_OUTPUT" echo "cluster-location=us-west1-a" >> "$GITHUB_OUTPUT" echo "service-account=deploy-helm-celo-prod${SERVICE_ACCOUNT_SUFFIX}@celo-testnet-production.iam.gserviceaccount.com" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event.inputs.deployment }}" =~ ^alfajores[2-3]$ ]]; then + elif [[ "${{ env.DEPLOYMENT }}" =~ ^alfajores[2-3]$ ]]; then echo "cluster=alfajores" >> "$GITHUB_OUTPUT" echo "project=celo-testnet-production" >> "$GITHUB_OUTPUT" echo "cluster-location=us-west1-a" >> "$GITHUB_OUTPUT" echo "service-account=deploy-helm-celo-prod${SERVICE_ACCOUNT_SUFFIX}@celo-testnet-production.iam.gserviceaccount.com" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event.inputs.deployment }}" =~ ^baklava[2-3]$ ]]; then + elif [[ "${{ env.DEPLOYMENT }}" =~ ^baklava[2-3]$ ]]; then echo "cluster=baklavastaging" >> "$GITHUB_OUTPUT" echo "project=celo-testnet-production" >> "$GITHUB_OUTPUT" echo "cluster-location=us-west1-a" >> "$GITHUB_OUTPUT" echo "service-account=deploy-helm-celo-prod${SERVICE_ACCOUNT_SUFFIX}@celo-testnet-production.iam.gserviceaccount.com" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event.inputs.deployment }}" =~ ^rc1[1|3]$ ]]; then + elif [[ "${{ env.DEPLOYMENT }}" =~ ^rc1[1|3]$ ]]; then echo "cluster=mainnet" >> "$GITHUB_OUTPUT" echo "project=celo-testnet-production" >> "$GITHUB_OUTPUT" echo "cluster-location=us-west1-a" >> "$GITHUB_OUTPUT" echo "service-account=deploy-helm-celo-prod${SERVICE_ACCOUNT_SUFFIX}@celo-testnet-production.iam.gserviceaccount.com" >> "$GITHUB_OUTPUT" fi - if [ -z "${{ github.event.inputs.change-cause }}" ]; then + if [ -z "${{ env.CHANGE-CAUSE }}" ]; then echo "change-cause=\"Deployment ${{ github.sha }} triggered by ${{ github.triggering_actor }} on ${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}\"" >> "$GITHUB_OUTPUT" else - echo "change-cause=\"${{ github.event.inputs.change-cause }}\"" >> "$GITHUB_OUTPUT" + echo "change-cause=\"${{ env.CHANGE-CAUSE }}\"" >> "$GITHUB_OUTPUT" fi - if [ "${{ github.event.inputs.use-branch-commit }}" == "true" ]; then + if [ "${{ env.USE-BRANCH-COMMIT }}" == "true" ]; then echo "image-commit=${{ github.sha }}" >> "$GITHUB_OUTPUT" else echo "image-commit=" >> "$GITHUB_OUTPUT" @@ -95,10 +101,10 @@ jobs: helmfile-run: uses: ./.github/workflows/helm_deploy_call.yml needs: set-config - name: "helmfile ${{ github.event.inputs.action }}" + name: "helmfile ${{ env.ACTION }}" with: - helmfile: helm/helmfiles/${{ github.event.inputs.deployment }}.yaml - action: ${{ github.event.inputs.action }} + helmfile: helm/helmfiles/${{ env.DEPLOYMENT }}.yaml + action: ${{ env.ACTION }} image-commit: ${{ needs.set-config.outputs.image-commit }} change-cause: ${{ needs.set-config.outputs.change-cause }} cluster-name: ${{ needs.set-config.outputs.cluster }} From 5cdf9433b1f5b835274022e4c701036a5d8dd241 Mon Sep 17 00:00:00 2001 From: pputman12 Date: Wed, 11 Dec 2024 21:07:33 -0600 Subject: [PATCH 2/2] move variables to workflow level so they're used in both jobs --- .github/workflows/helm_deploy_dispatch.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/helm_deploy_dispatch.yml b/.github/workflows/helm_deploy_dispatch.yml index 325c6e6ab42e..69a4596ba742 100644 --- a/.github/workflows/helm_deploy_dispatch.yml +++ b/.github/workflows/helm_deploy_dispatch.yml @@ -34,6 +34,11 @@ on: description: 'The change cause to use for the deployment' required: false type: string +env: + ACTION: "${{ github.event.inputs.action }}" + DEPLOYMENT: "${{ github.event.inputs.deployment }}" + CHANGE-CAUSE: "${{ github.event.inputs.change-cause }}" + USE-BRANCH-COMMIT: "${{ github.event.inputs.use-branch-commit }}" jobs: set-config: @@ -47,12 +52,6 @@ jobs: service-account: ${{ steps.set-config.outputs.service-account }} steps: - id: set-config - env: - ACTION: "${{ github.event.inputs.action }}" - DEPLOYMENT: "${{ github.event.inputs.deployment }}" - CHANGE-CAUSE: "${{ github.event.inputs.change-cause }}" - USE-BRANCH-COMMIT: "${{ github.event.inputs.use-branch-commit }}" - run: | # SERVICE_ACCOUNT_SUFFIX="-ro" SERVICE_ACCOUNT_SUFFIX=""