From f81b97dab030815d1cc9ac68447b67f41c3d21fb Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Wed, 7 Aug 2024 20:25:00 +0000 Subject: [PATCH 1/4] fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/hermetic_library_generation.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 7146cc3dc..982d471d0 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -17,6 +17,9 @@ name: Hermetic library generation upon generation config change through pull req on: pull_request: +env: + HEAD_REF: ${{ github.head_ref }} + jobs: library_generation: # skip pull requests coming from a forked repository @@ -35,6 +38,6 @@ jobs: [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ --target_branch ${{ github.base_ref }} \ - --current_branch ${{ github.head_ref }} + --current_branch $HEAD_REF env: GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }} From 795941c26b941af6db9b6fe26a51d138cefedf71 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:34:02 -0400 Subject: [PATCH 2/4] inline full_name as env var --- .github/workflows/hermetic_library_generation.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 982d471d0..a1cce5119 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,11 +19,12 @@ on: env: HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: library_generation: - # skip pull requests coming from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository + # skip pull requests come from a forked repository + if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -33,7 +34,7 @@ jobs: - name: Generate changed libraries shell: bash run: | - set -x + set -ex [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ From de8ae700aaaeb74af8d542caf7ee21f483cfda3c Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:36:14 -0400 Subject: [PATCH 3/4] fix wording --- .github/workflows/hermetic_library_generation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index a1cce5119..ab23b9fec 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -23,7 +23,7 @@ env: jobs: library_generation: - # skip pull requests come from a forked repository + # skip pull requests coming from a forked repository if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: From 8da716d25a058c8d2b3a7fb7fd58e244be9e146a Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Thu, 5 Sep 2024 10:26:07 -0400 Subject: [PATCH 4/4] Update hermetic_library_generation.yaml --- .github/workflows/hermetic_library_generation.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index ab23b9fec..51a087f8e 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -20,11 +20,10 @@ on: env: HEAD_REF: ${{ github.head_ref }} REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_REPOSITORY: ${{ github.repository }} jobs: library_generation: - # skip pull requests coming from a forked repository - if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -35,6 +34,10 @@ jobs: shell: bash run: | set -ex + if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then + echo "This PR comes from a fork. Generation will be skipped" + exit 0 + fi [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \