Skip to content

Commit 790f3e1

Browse files
tdrueztdruez
committed
move ${{ inputs.* }} into env: mappings to prevent script injection
Signed-off-by: tdruez <tdruez@aboutcode.org>
1 parent fcad426 commit 790f3e1

File tree

1 file changed

+55
-29
lines changed

1 file changed

+55
-29
lines changed

action.yml

Lines changed: 55 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -59,14 +59,15 @@ runs:
5959

6060
- name: Set up environment
6161
shell: bash
62+
env:
63+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
6264
run: |
6365
echo "SECRET_KEY=$(openssl rand -base64 32)" >> $GITHUB_ENV
6466
echo "SCANCODEIO_DB_NAME=scancodeio" >> $GITHUB_ENV
6567
echo "SCANCODEIO_DB_USER=scancodeio" >> $GITHUB_ENV
6668
echo "SCANCODEIO_DB_PASSWORD=scancodeio" >> $GITHUB_ENV
6769
# Sanitize project name for artifact usage
68-
SAFE_PROJECT_NAME="${{ inputs.project-name }}"
69-
SAFE_PROJECT_NAME="${SAFE_PROJECT_NAME//[^a-zA-Z0-9._-]/_}"
70+
SAFE_PROJECT_NAME="${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}"
7071
echo "SAFE_PROJECT_NAME=$SAFE_PROJECT_NAME" >> $GITHUB_ENV
7172
7273
- name: Detect if ScanCode.io is already installed
@@ -85,16 +86,18 @@ runs:
8586
shell: bash
8687
run: |
8788
sudo systemctl start postgresql.service
88-
sudo -u postgres createuser --no-createrole --no-superuser --login --inherit --createdb ${{ env.SCANCODEIO_DB_USER }}
89-
sudo -u postgres psql -c "ALTER USER ${{ env.SCANCODEIO_DB_USER }} WITH ENCRYPTED PASSWORD '${{ env.SCANCODEIO_DB_PASSWORD }}'"
90-
sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 ${{ env.SCANCODEIO_DB_NAME }}
89+
sudo -u postgres createuser --no-createrole --no-superuser --login --inherit --createdb "$SCANCODEIO_DB_USER"
90+
sudo -u postgres psql -c "ALTER USER $SCANCODEIO_DB_USER WITH ENCRYPTED PASSWORD '$SCANCODEIO_DB_PASSWORD'"
91+
sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 "$SCANCODEIO_DB_NAME"
9192
9293
- name: Generate scancodeio pip install argument
9394
if: env.SCANCODEIO_IS_INSTALLED != 'true'
9495
shell: bash
96+
env:
97+
INPUT_EXTRAS: ${{ inputs.scancodeio-extras }}
9598
run: |
9699
SCANCODEIO_PIP_PACKAGE_ARG="scancodeio"
97-
TRIMMED_EXTRAS="$(echo "${{ inputs.scancodeio-extras }}" | tr -d '[:space:]')"
100+
TRIMMED_EXTRAS="$(echo "$INPUT_EXTRAS" | tr -d '[:space:]')"
98101
if [ -n "$TRIMMED_EXTRAS" ]; then
99102
SCANCODEIO_PIP_PACKAGE_ARG+="[$TRIMMED_EXTRAS]"
100103
fi
@@ -103,13 +106,15 @@ runs:
103106
- name: Install ScanCode.io (only if not already installed)
104107
if: env.SCANCODEIO_IS_INSTALLED != 'true'
105108
shell: bash
109+
env:
110+
INPUT_REPO_BRANCH: ${{ inputs.scancodeio-repo-branch }}
106111
run: |
107-
if [ -z "${{ inputs.scancodeio-repo-branch }}" ]; then
108-
echo "Installing the latest ${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} release from PyPI"
109-
pip install --upgrade "${{ env.SCANCODEIO_PIP_PACKAGE_ARG }}"
112+
if [ -z "$INPUT_REPO_BRANCH" ]; then
113+
echo "Installing the latest ${SCANCODEIO_PIP_PACKAGE_ARG} release from PyPI"
114+
pip install --upgrade "$SCANCODEIO_PIP_PACKAGE_ARG"
110115
else
111-
echo "Installing ${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} from the GitHub branch: ${{ inputs.scancodeio-repo-branch }}"
112-
pip install "${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} @ git+https://github.com/aboutcode-org/scancode.io.git@${{ inputs.scancodeio-repo-branch }}"
116+
echo "Installing ${SCANCODEIO_PIP_PACKAGE_ARG} from the GitHub branch: $INPUT_REPO_BRANCH"
117+
pip install "${SCANCODEIO_PIP_PACKAGE_ARG} @ git+https://github.com/aboutcode-org/scancode.io.git@${INPUT_REPO_BRANCH}"
113118
fi
114119
115120
- name: Run migrations to prepare the database
@@ -119,8 +124,10 @@ runs:
119124

120125
- name: Generate `--pipeline` CLI arguments
121126
shell: bash
127+
env:
128+
INPUT_PIPELINES: ${{ inputs.pipelines }}
122129
run: |
123-
IFS=',' read -ra PIPELINES <<< "${{ inputs.pipelines }}"
130+
IFS=',' read -ra PIPELINES <<< "$INPUT_PIPELINES"
124131
PIPELINE_CLI_ARGS=""
125132
for pipeline in "${PIPELINES[@]}"; do
126133
PIPELINE_CLI_ARGS+=" --pipeline $pipeline"
@@ -129,45 +136,54 @@ runs:
129136
130137
- name: Generate `--input-url` CLI arguments
131138
shell: bash
139+
env:
140+
INPUT_URLS: ${{ inputs.input-urls }}
132141
run: |
133142
INPUT_URL_CLI_ARGS=""
134-
for url in ${{ inputs.input-urls }}; do
143+
for url in $INPUT_URLS; do
135144
INPUT_URL_CLI_ARGS+=" --input-url $url"
136145
done
137146
echo "INPUT_URL_CLI_ARGS=${INPUT_URL_CLI_ARGS}" >> $GITHUB_ENV
138147
139148
- name: Create project
140149
shell: bash
150+
env:
151+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
141152
run: |
142-
scanpipe create-project ${{ inputs.project-name }} \
143-
${{ env.PIPELINE_CLI_ARGS }} \
144-
${{ env.INPUT_URL_CLI_ARGS }}
153+
scanpipe create-project "$INPUT_PROJECT_NAME" \
154+
$PIPELINE_CLI_ARGS \
155+
$INPUT_URL_CLI_ARGS
145156
146157
- name: Set project work directory in the environment
147158
shell: bash
159+
env:
160+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
148161
run: |
149-
project_status=$(scanpipe status --project ${{ inputs.project-name }})
162+
project_status=$(scanpipe status --project "$INPUT_PROJECT_NAME")
150163
work_directory=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+')
151164
echo "PROJECT_WORK_DIRECTORY=$work_directory" >> $GITHUB_ENV
152165
153166
- name: Copy input files to project work directory
154167
if: ${{ !inputs.input-urls }}
155168
shell: bash
169+
env:
170+
INPUT_INPUTS_PATH: ${{ inputs.inputs-path }}
171+
WORKSPACE: ${{ github.workspace }}
156172
run: |
157-
SOURCE_PATH="${{ inputs.inputs-path }}"
158-
[[ "$SOURCE_PATH" != /* ]] && SOURCE_PATH="${{ github.workspace }}/$SOURCE_PATH"
159-
DESTINATION_PATH="${{ env.PROJECT_WORK_DIRECTORY }}/input/"
173+
SOURCE_PATH="$INPUT_INPUTS_PATH"
174+
[[ "$SOURCE_PATH" != /* ]] && SOURCE_PATH="${WORKSPACE}/$SOURCE_PATH"
175+
DESTINATION_PATH="${PROJECT_WORK_DIRECTORY}/input/"
160176
mkdir -p "$DESTINATION_PATH"
161177
162178
if [ -d "$SOURCE_PATH" ]; then
163179
if [ "$(ls -A "$SOURCE_PATH")" ]; then
164-
echo "Copying contents of directory: $SOURCE_PATH $DESTINATION_PATH"
180+
echo "Copying contents of directory: $SOURCE_PATH -> $DESTINATION_PATH"
165181
cp -r "$SOURCE_PATH"/* "$DESTINATION_PATH"
166182
else
167183
echo "Input directory '$SOURCE_PATH' is empty, nothing to copy."
168184
fi
169185
elif [[ -f "$SOURCE_PATH" ]]; then
170-
echo "Copying file: $SOURCE_PATH $DESTINATION_PATH"
186+
echo "Copying file: $SOURCE_PATH -> $DESTINATION_PATH"
171187
cp "$SOURCE_PATH" "$DESTINATION_PATH"
172188
fi
173189
@@ -177,14 +193,20 @@ runs:
177193
178194
- name: Run the pipelines
179195
shell: bash
180-
run: scanpipe execute --project ${{ inputs.project-name }} --no-color
196+
env:
197+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
198+
run: scanpipe execute --project "$INPUT_PROJECT_NAME" --no-color
181199

182200
- name: Generate outputs
183201
id: scanpipe
184202
shell: bash
185-
run: scanpipe output
186-
--project ${{ inputs.project-name }}
187-
--format ${{ inputs.output-formats }}
203+
env:
204+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
205+
INPUT_OUTPUT_FORMATS: ${{ inputs.output-formats }}
206+
run: |
207+
scanpipe output \
208+
--project "$INPUT_PROJECT_NAME" \
209+
--format $INPUT_OUTPUT_FORMATS
188210
189211
- name: Upload outputs
190212
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
@@ -198,12 +220,16 @@ runs:
198220
- name: Check compliance
199221
if: inputs.check-compliance == 'true'
200222
shell: bash
223+
env:
224+
INPUT_PROJECT_NAME: ${{ inputs.project-name }}
225+
INPUT_FAIL_LEVEL: ${{ inputs.compliance-fail-level }}
226+
INPUT_FAIL_ON_VULNS: ${{ inputs.compliance-fail-on-vulnerabilities }}
201227
run: |
202228
cmd="scanpipe check-compliance \
203-
--project ${{ inputs.project-name }} \
204-
--fail-level ${{ inputs.compliance-fail-level }}"
229+
--project $INPUT_PROJECT_NAME \
230+
--fail-level $INPUT_FAIL_LEVEL"
205231
206-
if [[ "${{ inputs.compliance-fail-on-vulnerabilities }}" == "true" ]]; then
232+
if [[ "$INPUT_FAIL_ON_VULNS" == "true" ]]; then
207233
cmd="$cmd --fail-on-vulnerabilities"
208234
fi
209235

0 commit comments

Comments
 (0)