Skip to content

Commit f36ce3f

Browse files
cx-diogo-rochacx-diogo-rocha
committed
Fixed exploit that could pass a command through PR title or other metadata fields.
1 parent 3e59cdb commit f36ce3f

4 files changed

Lines changed: 40 additions & 21 deletions

File tree

.github/workflows/cesar.yaml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -37,22 +37,29 @@ jobs:
3737
chmod +x $GITHUB_WORKSPACE/2ms/dist/2ms
3838
3939
- name: Create Metadata File
40+
env:
41+
PR_NUMBER: ${{ github.event.number }}
42+
PR_TITLE: ${{ github.event.pull_request.title }}
43+
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
44+
ACTOR: ${{ github.actor }}
45+
HEAD_REF: ${{ github.head_ref }}
46+
BASE_REF: ${{ github.base_ref }}
4047
run: |
4148
COMMIT_TIMESTAMP=$(git -C "$GITHUB_WORKSPACE/2ms" log -1 --format=%ct)
4249
METADATA_PATH="$GITHUB_WORKSPACE/pr-metadata.json"
4350
CURR_TIMESTAMP=$(date +%s)
4451
echo '{
4552
"seq": "'"${CURR_TIMESTAMP}"'",
46-
"tag": "'"${{ github.event.number }}"'",
47-
"comment": "'"${{ github.event.pull_request.title }}"'",
48-
"commit": "'"${{ github.event.pull_request.head.sha }}"'",
49-
"owner": "'"${{ github.actor }}"'",
50-
"branch": "'"${{ github.head_ref }}"'",
53+
"tag": "'"${PR_NUMBER}"'",
54+
"comment": "'"${PR_TITLE}"'",
55+
"commit": "'"${PR_HEAD_SHA}"'",
56+
"owner": "'"${ACTOR}"'",
57+
"branch": "'"${HEAD_REF}"'",
5158
"engine": "'"${ENGINE}"'",
5259
"platform": "'"${PLATFORM}"'",
5360
"version": "'"${ENGINE_VERSION}"'",
5461
"forkSeq": "'"${CURR_TIMESTAMP}"'",
55-
"forkBranch": "'"${{ github.base_ref }}"'",
62+
"forkBranch": "'"${BASE_REF}"'",
5663
"removeHistory" : "'"${REMOVE_HISTORY}"'"
5764
}' > "$METADATA_PATH"
5865

.github/workflows/ci-projects.yaml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,16 +38,22 @@ jobs:
3838
chmod +x $GITHUB_WORKSPACE/2ms/dist/2ms
3939
4040
- name: Create Metadata File
41+
env:
42+
PR_NUMBER: ${{ github.event.number }}
43+
PR_TITLE: ${{ github.event.pull_request.title }}
44+
GH_SHA: ${{ github.sha }}
45+
ACTOR: ${{ github.actor }}
46+
BASE_REF: ${{ github.base_ref }}
4147
run: |
4248
COMMIT_TIMESTAMP=$(git -C "$GITHUB_WORKSPACE/2ms" log -1 --format=%ct)
4349
METADATA_PATH="$GITHUB_WORKSPACE/pr-metadata.json"
4450
echo '{
4551
"seq": "'"${COMMIT_TIMESTAMP}"'",
46-
"tag": "'"${{ github.event.number }}"'",
47-
"comment": "'"${{ github.event.pull_request.title }}"'",
48-
"commit": "'"${{ github.sha }}"'",
49-
"owner": "'"${{ github.actor }}"'",
50-
"branch": "'"${{ github.base_ref }}"'",
52+
"tag": "'"${PR_NUMBER}"'",
53+
"comment": "'"${PR_TITLE}"'",
54+
"commit": "'"${GH_SHA}"'",
55+
"owner": "'"${ACTOR}"'",
56+
"branch": "'"${BASE_REF}"'",
5157
"engine": "'"${ENGINE}"'",
5258
"platform": "'"${PLATFORM}"'",
5359
"version": "'"${ENGINE_VERSION}"'"

.github/workflows/pr-title.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,7 @@ jobs:
1414
run: |
1515
echo "module.exports = {extends: ['@commitlint/config-conventional']}" > commitlint.config.js
1616
- name: validate PR title
17+
env:
18+
PR_TITLE: ${{ github.event.pull_request.title }}
1719
run: |
18-
echo ${{ github.event.pull_request.title }} | commitlint
20+
echo "$PR_TITLE" | commitlint

.github/workflows/validate-issues.yaml

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ jobs:
88
env:
99
BODY: ${{ github.event.issue.body }}
1010
TITLE: ${{ github.event.issue.title }}
11+
REPOSITORY: ${{ github.repository }}
12+
ISSUE_NUMBER: ${{ github.event.issue.number }}
1113
steps:
1214
- name: Checkout code
1315
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -34,7 +36,7 @@ jobs:
3436
if: ${{ env.TITLE_CHECK_FAILED != 'true' }}
3537
run: |
3638
comments=$(curl -s -H "Authorization: token ${{ secrets.TWOMS_BOT_PAT}}" \
37-
-X GET "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments")
39+
-X GET "https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/comments")
3840
if echo "$comments" | grep -q "title_check"; then
3941
echo "TAG_EXISTS=true" >> $GITHUB_ENV
4042
else
@@ -67,6 +69,8 @@ jobs:
6769
BODY: ${{ github.event.issue.body }}
6870
LABELS: ${{ toJson(github.event.issue.labels) }}
6971
TITLE: ${{ github.event.issue.title }}
72+
REPOSITORY: ${{ github.repository }}
73+
ISSUE_NUMBER: ${{ github.event.issue.number }}
7074
steps:
7175
- name: Checkout code
7276
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -82,39 +86,39 @@ jobs:
8286
if [[ "$TITLE" == feat* ]] || echo "$TITLE $BODY" | grep -iqP "feature request" || echo "$BODY" | grep -iqP "Is your feature request related to a problem? Please describe." || echo "$BODY" | grep -iqP "Describe the solution you'd like" || echo "$BODY" | grep -iqP "Describe alternatives you've considered" || echo "$BODY" | grep -iqP "Additional context"; then
8387
if [[ "$IS_MEMBER" == "true" ]]; then
8488
echo "Adding 'feature' label..."
85-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature"]}'
89+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels -d '{"labels": ["feature"]}'
8690
else
8791
echo "Adding 'feature request' label..."
88-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["feature request"]}'
92+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels -d '{"labels": ["feature request"]}'
8993
fi
9094
else
9195
if echo "$LABELS" | grep -q "feature request"; then
9296
echo "Removing 'feature request' label..."
93-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature%20request
97+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels/feature%20request
9498
elif echo "$LABELS" | grep -q "feature"; then
9599
echo "Removing 'feature' label..."
96-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/feature
100+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels/feature
97101
fi
98102
fi
99103
- name: Add bug label
100104
run: |
101105
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)" || echo "$BODY" | grep -iqP "steps to reproduce" || echo "$BODY" | grep -iqP "actual behavior" || echo "$BODY" | grep -iqP "expected behavior"; then
102106
echo "Adding 'bug' label..."
103-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["bug"]}'
107+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels -d '{"labels": ["bug"]}'
104108
else
105109
if echo "$LABELS" | grep -q "bug"; then
106110
echo "Removing 'bug' label..."
107-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/bug
111+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels/bug
108112
fi
109113
fi
110114
- name: Add bug label (extra)
111115
run: |
112116
if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)" || echo "$BODY" | grep -iqP "steps to reproduce" || echo "$BODY" | grep -iqP "actual behavior" || echo "$BODY" | grep -iqP "expected behavior"; then
113117
echo "Adding 'bug' label (extra)..."
114-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["bug"]}'
118+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels -d '{"labels": ["bug"]}'
115119
else
116120
if echo "$LABELS" | grep -q "bug"; then
117121
echo "Removing 'bug' label (extra)..."
118-
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/bug
122+
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPOSITORY/issues/$ISSUE_NUMBER/labels/bug
119123
fi
120124
fi

0 commit comments

Comments
 (0)