Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate injection #115

Merged
merged 1 commit into from
Aug 3, 2023
Merged

Mitigate injection #115

merged 1 commit into from
Aug 3, 2023

Conversation

jackdawm
Copy link
Contributor

@jackdawm jackdawm commented Aug 3, 2023

What changed?
Replace interpolated github context variables with default variables used more defensively.

Why?
This mitigates an attacker naming a branch a command that could run in our runner's context.

How did you test it?
Ran in my own fork and it was fine in my workflow.

Potential risks
Somehow not printing the build info in the workflow output.

@jackdawm
Mitigate injection
41f60ae 
Replace interpolated context variables with default variables used more defensively. This mitigates an attacker naming a branch a command that could run in our runner's context.
@jackdawm jackdawm requested review from a team as code owners August 3, 2023 18:48
cretz
cretz approved these changes Aug 3, 2023
View reviewed changes
Copy link
Member

@cretz cretz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

cretz
cretz reviewed Aug 3, 2023
View reviewed changes
.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Print build information
run: "echo head_ref: ${{ github.head_ref }}, ref: ${{ github.ref }}"
run: 'echo head_ref: "$GITHUB_HEAD_REF", ref: "$GITHUB_REF"'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may have to set these as environment variables first

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are actually set by Github by default and are available to every step in a workflow. You can verify that it's working here: https://github.com/temporalio/api-go/actions/runs/5754549570/job/15600068301?pr=115

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kind of can't believe that gha has such a security-footgun with no warnings or easy alternatives. I've fixed this in multiple other places. there isn't even a "shell-escape" filter available on substitutions :(

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, sorry! I confused the exec line for the output. Thanks, will merge.

@cretz cretz merged commit 836addc into master Aug 3, 2023
@cretz cretz deleted the injection branch August 3, 2023 19:50
@jackdawm jackdawm mentioned this pull request Aug 3, 2023
Merged
@sync-by-unito sync-by-unito bot mentioned this pull request Aug 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnr dnr dnr left review comments

@cretz cretz cretz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jackdawm @cretz @dnr