From a47fbf969b7cac3c96fbf3a9436bab7ac5754b98 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Fri, 2 Aug 2024 18:28:12 +0000 Subject: [PATCH 1/2] fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/hermetic_library_generation.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 7146cc3dc1..982d471d00 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -17,6 +17,9 @@ name: Hermetic library generation upon generation config change through pull req on: pull_request: +env: + HEAD_REF: ${{ github.head_ref }} + jobs: library_generation: # skip pull requests coming from a forked repository @@ -35,6 +38,6 @@ jobs: [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \ --target_branch ${{ github.base_ref }} \ - --current_branch ${{ github.head_ref }} + --current_branch $HEAD_REF env: GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }} From 02353e23edcb32a181f2b1da57af6435148b5170 Mon Sep 17 00:00:00 2001 From: Diego Marquez Date: Mon, 19 Aug 2024 16:35:14 -0400 Subject: [PATCH 2/2] inline repo's full_name as env var --- .github/workflows/hermetic_library_generation.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hermetic_library_generation.yaml b/.github/workflows/hermetic_library_generation.yaml index 982d471d00..ab23b9fec0 100644 --- a/.github/workflows/hermetic_library_generation.yaml +++ b/.github/workflows/hermetic_library_generation.yaml @@ -19,11 +19,12 @@ on: env: HEAD_REF: ${{ github.head_ref }} + REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: library_generation: # skip pull requests coming from a forked repository - if: github.event.pull_request.head.repo.full_name == github.repository + if: github.env.REPO_FULL_NAME == github.repository runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -33,7 +34,7 @@ jobs: - name: Generate changed libraries shell: bash run: | - set -x + set -ex [ -z "$(git config user.email)" ] && git config --global user.email "cloud-java-bot@google.com" [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot" bash .github/scripts/hermetic_library_generation.sh \