Address security issues and update e2e tests

Author: sebastianrath

core/docker.go

@@ -100,7 +100,7 @@ func (d *DockerClient) PullImage(ctx context.Context, imageRef string) error {
 	verbose := !IsTestE2eRunning()
 
 	if verbose {
-		utils.LogOut.Infof("%sPulling image '%s'\n", utils.LogGhStartGroup, imageRef)
+		utils.LogOut.Infof("%sPulling image '%s'\n", utils.LogGhStartGroup, utils.SanitizeImageRef(imageRef))
 		defer utils.LogOut.Infof(utils.LogGhEndGroup)
 	}
 
@@ -138,7 +138,7 @@ func (d *DockerClient) BuildImage(ctx context.Context, dockerfilePath, contextPa
 	verbose := !IsTestE2eRunning()
 
 	if verbose {
-		utils.LogOut.Infof("%sBuilding image '%s' from %s\n", utils.LogGhStartGroup, tag, dockerfilePath)
+		utils.LogOut.Infof("%sBuilding image '%s' from %s\n", utils.LogGhStartGroup, utils.SanitizeImageRef(tag), utils.SanitizeImageRef(dockerfilePath))
 		defer utils.LogOut.Infof(utils.LogGhEndGroup)
 	}
 

core/github.go

@@ -213,9 +213,12 @@ func LoadGitHubContext(env map[string]string, inputs map[string]any, secrets map
 	// Support for github.event.pull_request, github.event.commits, etc.
 	eventData := make(map[string]any)
 	if eventPath, ok := env["GITHUB_EVENT_PATH"]; ok && eventPath != "" {
-		fileContent, err := os.ReadFile(eventPath)
+		cleanPath, err := utils.ValidatePath(eventPath)
 		if err == nil {
-			_ = json.Unmarshal(fileContent, &eventData)
+			fileContent, err := os.ReadFile(cleanPath)
+			if err == nil {
+				_ = json.Unmarshal(fileContent, &eventData)
+			}
 		}
 	}
 
@@ -439,9 +442,13 @@ func SetupGitHubActionsEnv(finalEnv map[string]string) error {
 
 	for _, filePath := range fileCommandFiles {
 		if filePath != "" {
-			f, err := os.Create(filePath)
+			cleanPath, err := utils.ValidatePath(filePath)
+			if err != nil {
+				return CreateErr(nil, err, "invalid file command path %s", filePath)
+			}
+			f, err := os.Create(cleanPath)
 			if err != nil {
-				return CreateErr(nil, err, "failed to create file command file %s", filePath).
+				return CreateErr(nil, err, "failed to create file command file %s", cleanPath).
 					SetHint("Check that you have write permissions to the runner temp directory.")
 			}
 			f.Close()

core/github_evaluator.go

@@ -16,6 +16,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/actionforge/actrun-cli/utils"
 	"github.com/rhysd/actionlint"
 )
 
@@ -318,9 +319,13 @@ func (e *Evaluator) hashFiles(patterns ...string) (string, error) {
 	}
 	var uniqueFiles []string
 	for f := range fileSet {
-		info, err := os.Stat(f)
+		cleanPath, err := utils.ValidatePath(f)
+		if err != nil {
+			continue
+		}
+		info, err := os.Stat(cleanPath)
 		if err == nil && info.Mode().IsRegular() {
-			uniqueFiles = append(uniqueFiles, f)
+			uniqueFiles = append(uniqueFiles, cleanPath)
 		}
 	}
 	sort.Strings(uniqueFiles)
@@ -331,7 +336,11 @@ func (e *Evaluator) hashFiles(patterns ...string) (string, error) {
 
 	hasher := sha256.New()
 	for _, filePath := range uniqueFiles {
-		file, err := os.Open(filePath)
+		cleanPath, err := utils.ValidatePath(filePath)
+		if err != nil {
+			continue
+		}
+		file, err := os.Open(cleanPath)
 		if err != nil {
 			continue
 		}

core/graph.go

@@ -325,13 +325,17 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 
 	// Priority 1 (Lowest): Config file
 	if opts.ConfigFile != "" {
-		if _, err := os.Stat(opts.ConfigFile); err == nil {
-			localConfig, err := utils.LoadConfig(opts.ConfigFile)
+		cleanConfigPath, err := utils.ValidatePath(opts.ConfigFile)
+		if err != nil {
+			return CreateErr(nil, err, "invalid config file path")
+		}
+		if _, err := os.Stat(cleanConfigPath); err == nil {
+			localConfig, err := utils.LoadConfig(cleanConfigPath)
 			if err != nil {
 				return CreateErr(nil, err, "failed to load config file")
 			}
 
-			configName := filepath.Base(opts.ConfigFile)
+			configName := filepath.Base(cleanConfigPath)
 			envTracker.set(localConfig.Env, configName, true, false)
 			inputTracker.set(localConfig.Inputs, configName, true, false)
 			secretTracker.set(localConfig.Secrets, configName, true, true)
@@ -463,11 +467,15 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 	}
 
 	if newCwd != "" {
+		cleanCwd, err := utils.ValidatePath(newCwd)
+		if err != nil {
+			return CreateErr(nil, err, "invalid working directory path")
+		}
 		originalCwd, err := os.Getwd()
 		if err != nil {
 			return CreateErr(nil, err, "failed to get current working directory")
 		}
-		if err := os.Chdir(newCwd); err != nil {
+		if err := os.Chdir(cleanCwd); err != nil {
 			return CreateErr(nil, err, "failed to change working directory to ACT_CWD/GITHUB_WORKSPACE")
 		}
 		defer func() {
@@ -1102,10 +1110,14 @@ func RunGraphFromString(ctx context.Context, graphName string, graphContent stri
 }
 
 func RunGraphFromFile(ctx context.Context, graphFile string, opts RunOpts, debugCb DebugCallback) error {
-	graphContent, err := os.ReadFile(graphFile)
+	cleanPath, err := utils.ValidatePath(graphFile)
+	if err != nil {
+		return CreateErr(nil, err, "invalid graph file path")
+	}
+	graphContent, err := os.ReadFile(cleanPath)
 	if err != nil {
 		if os.IsNotExist(err) {
-			err = fmt.Errorf("open %s: no such file or directory", graphFile)
+			err = fmt.Errorf("open %s: no such file or directory", cleanPath)
 		}
 
 		return CreateErr(nil, err, "failed loading graph")

nodes/credentials-ssh@v1.go

@@ -1,12 +1,12 @@
 package nodes
 
 import (
-	"github.com/actionforge/actrun-cli/core"
-
 	_ "embed"
 	"os"
 
+	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 )
 
 //go:embed credentials-ssh@v1.yml
@@ -48,19 +48,22 @@ func (n *SshCredentialNode) OutputValueById(c *core.ExecutionState, outputId cor
 		}
 		expandedPath = homeDir + expandedPath[1:]
 	}
-	_, err = os.Stat(expandedPath)
-	privateKeyInput = expandedPath
+	cleanPath, pathErr := utils.ValidatePath(expandedPath)
+	if pathErr != nil {
+		return nil, core.CreateErr(c, pathErr, "invalid private key path")
+	}
+	_, err = os.Stat(cleanPath)
 	if err == nil {
-		keyBytes, readErr := os.ReadFile(privateKeyInput)
+		keyBytes, readErr := os.ReadFile(cleanPath)
 		if readErr != nil {
-			return nil, core.CreateErr(c, readErr, "failed to read private key from path '%s'", privateKeyInput)
+			return nil, core.CreateErr(c, readErr, "failed to read private key from path '%s'", cleanPath)
 		}
 		keyContent = string(keyBytes)
 		if keyContent == "" {
 			return nil, core.CreateErr(c, nil, "private key content is empty")
 		}
 	} else {
-		return nil, core.CreateErr(c, err, "error checking path for private key '%s'", privateKeyInput)
+		return nil, core.CreateErr(c, err, "error checking path for private key '%s'", cleanPath)
 	}
 
 	credential := SshCredentials{

nodes/dir-create@v1.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 )
 
 //go:embed dir-create@v1.yml
@@ -29,11 +30,16 @@ func (n *DirCreateNode) ExecuteImpl(c *core.ExecutionState, inputId core.InputId
 		return err
 	}
 
+	cleanPath, pathErr := utils.ValidatePath(path)
+	if pathErr != nil {
+		return core.CreateErr(c, pathErr, "invalid directory path")
+	}
+
 	var mkdirErr error
 	if mkdirAll {
-		mkdirErr = os.MkdirAll(path, 0755)
+		mkdirErr = os.MkdirAll(cleanPath, 0755)
 	} else {
-		mkdirErr = os.Mkdir(path, 0755)
+		mkdirErr = os.Mkdir(cleanPath, 0755)
 	}
 
 	if mkdirErr != nil {

nodes/dir-walk@v1.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 
 	"golang.org/x/exp/maps"
 )
@@ -118,6 +119,11 @@ func walk(root string, opts walkOpts, pattern []string, items map[string]os.File
 		}
 	}
 
+	root, err = utils.ValidatePath(root)
+	if err != nil {
+		return "", core.CreateErr(nil, err, "invalid path")
+	}
+
 	root, err = filepath.Abs(root)
 	if err != nil {
 		return "", core.CreateErr(nil, err, "failed to get absolute path")

nodes/docker-run@v1.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 	"github.com/google/uuid"
 )
 
@@ -130,13 +131,19 @@ func (n *DockerNode) ExecuteImpl(c *core.ExecutionState, inputId core.InputId, p
 			dockerfilePath = filepath.Join(cwd, dockerfilePath)
 		}
 
-		if _, err := os.Stat(dockerfilePath); os.IsNotExist(err) {
+		cleanPath, pathErr := utils.ValidatePath(dockerfilePath)
+		if pathErr != nil {
+			return core.CreateErr(c, pathErr, "invalid Dockerfile path")
+		}
+
+		if _, err := os.Stat(cleanPath); os.IsNotExist(err) {
 			// check if this looks like an image reference (user forgot docker:// prefix)
 			if looksLikeImageReference(imageRef) {
-				return core.CreateErr(c, nil, "Dockerfile not found: %s. Did you mean 'docker://%s' to pull from a registry?", dockerfilePath, imageRef)
+				return core.CreateErr(c, nil, "Dockerfile not found: %s. Did you mean 'docker://%s' to pull from a registry?", cleanPath, imageRef)
 			}
-			return core.CreateErr(c, nil, "Dockerfile not found: %s", dockerfilePath)
+			return core.CreateErr(c, nil, "Dockerfile not found: %s", cleanPath)
 		}
+		dockerfilePath = cleanPath
 
 		var containerIdSuffix string
 		if core.IsTestE2eRunning() {

nodes/file-compress@v1.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 
 	"golang.org/x/exp/maps"
 )
@@ -126,25 +127,29 @@ func createArchiveStreamFromPaths(c *core.ExecutionState, itemPaths []string, co
 	dirSet := make(map[string]struct{})
 
 	for _, path := range itemPaths {
-		stats, err := os.Lstat(path)
+		cleanPath, pathErr := utils.ValidatePath(path)
+		if pathErr != nil {
+			return nil, core.CreateErr(c, pathErr, "invalid path: '%s'", path)
+		}
+		stats, err := os.Lstat(cleanPath)
 		if err != nil {
-			return nil, core.CreateErr(c, err, "failed to stat file: '%s'", path)
+			return nil, core.CreateErr(c, err, "failed to stat file: '%s'", cleanPath)
 		}
 
 		if stats.IsDir() {
 			// ignore walking a directory that has already been walked
-			if _, ok := dirSet[path]; ok {
+			if _, ok := dirSet[cleanPath]; ok {
 				continue
 			}
 
 			tmpItemSet := make(map[string]os.FileInfo)
-			path, err = walk(path, walkOpts{
+			walkPath, err := walk(cleanPath, walkOpts{
 				recursive: true,
 				files:     true,
 				dirs:      false,
 			}, nil, tmpItemSet)
 			if err != nil {
-				return nil, core.CreateErr(c, err, "failed to walk directory: '%s'", path)
+				return nil, core.CreateErr(c, err, "failed to walk directory: '%s'", walkPath)
 			}
 
 			for k, v := range tmpItemSet {
@@ -158,7 +163,7 @@ func createArchiveStreamFromPaths(c *core.ExecutionState, itemPaths []string, co
 			}
 
 		} else if stats.Mode().IsRegular() {
-			itemSet[path] = stats
+			itemSet[cleanPath] = stats
 		}
 	}
 

nodes/file-read@v1.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/actionforge/actrun-cli/core"
 	ni "github.com/actionforge/actrun-cli/node_interfaces"
+	"github.com/actionforge/actrun-cli/utils"
 )
 
 //go:embed file-read@v1.yml
@@ -25,13 +26,18 @@ func (n *FileReadNode) ExecuteImpl(c *core.ExecutionState, inputId core.InputId,
 		return err
 	}
 
-	fp, err := os.Open(path)
+	cleanPath, pathErr := utils.ValidatePath(path)
+	if pathErr != nil {
+		return core.CreateErr(c, pathErr, "invalid file path")
+	}
+
+	fp, err := os.Open(cleanPath)
 	if err != nil {
 		return core.CreateErr(c, err)
 	}
 
 	dsf := core.DataStreamFactory{
-		SourcePath: path,
+		SourcePath: cleanPath,
 		Reader:     fp,
 		Length:     core.GetReaderLength(fp),
 	}
@@ -42,10 +48,10 @@ func (n *FileReadNode) ExecuteImpl(c *core.ExecutionState, inputId core.InputId,
 		return err
 	}
 
-	st, statErr := os.Stat(path)
+	st, statErr := os.Stat(cleanPath)
 	if statErr == nil {
 		if st.IsDir() {
-			statErr = core.CreateErr(c, nil, "stat %s: is a directory", path)
+			statErr = core.CreateErr(c, nil, "stat %s: is a directory", cleanPath)
 		}
 	}