Skip to content

Commit 266a504

Browse files
fix(ci): add input validation and allowlist enforcement for compute types
Addresses 5 security findings: 1. CRITICAL: deploy.yml wildcard case now validates intent against ALLOWED_COMPUTE_TYPES before passing to matrix. Invalid values cause the workflow to fail with an error annotation. 2. MEDIUM: PR label deploy:<type> values are filtered through validate_compute_type(). Invalid labels emit a warning and are ignored rather than passed to the deploy matrix. 3. MEDIUM: sanitize() now lowercases input and prefixes "s-" if the result starts with a digit (CloudFormation requires letter start). 4. LOW: deploy-intent.json is now written with jq (safe JSON encoding) instead of shell string interpolation. 5. LOW: PR_NUMBER is validated as numeric before use in stack names. The ALLOWED_COMPUTE_TYPES allowlist is defined as an env var in each step that performs validation. When new compute types are added to the matrix, this allowlist must be updated in both build.yml and deploy.yml. Part of #73 Phase 3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 382c551 commit 266a504

2 files changed

Lines changed: 66 additions & 9 deletions

File tree

.github/workflows/build.yml

Lines changed: 26 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/workflows/deploy.yml

Lines changed: 40 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,32 @@ jobs:
3232
GH_TOKEN: ${{ github.token }}
3333
REPO: ${{ github.repository }}
3434
PR_NUMBER_FROM_EVENT: ${{ github.event.workflow_run.pull_requests[0].number }}
35+
ALLOWED_COMPUTE_TYPES: "agentcore"
3536
run: |
3637
ALL_TYPES='["agentcore"]'
38+
39+
validate_compute_type() {
40+
local type="$1"
41+
for allowed in $ALLOWED_COMPUTE_TYPES; do
42+
[[ "$type" == "$allowed" ]] && return 0
43+
done
44+
echo "::error::Invalid compute_type: '$type'. Allowed: $ALLOWED_COMPUTE_TYPES"
45+
return 1
46+
}
47+
48+
filter_valid_types() {
49+
local input_json="$1"
50+
local valid_json="[]"
51+
for type in $(echo "$input_json" | jq -r '.[]'); do
52+
if validate_compute_type "$type" 2>/dev/null; then
53+
valid_json=$(echo "$valid_json" | jq --arg t "$type" '. + [$t]')
54+
else
55+
echo "::warning::Ignoring invalid compute_type from label: '$type'"
56+
fi
57+
done
58+
echo "$valid_json"
59+
}
60+
3761
INTENT=$(jq -r '.deploy' deploy-intent.json)
3862
echo "Deploy intent from build: $INTENT"
3963
@@ -43,7 +67,6 @@ jobs:
4367
echo "has_targets=false" >> "$GITHUB_OUTPUT"
4468
;;
4569
labels)
46-
# PR-triggered build — check labels
4770
if [[ -z "$PR_NUMBER_FROM_EVENT" ]]; then
4871
echo "matrix=[]" >> "$GITHUB_OUTPUT"
4972
echo "has_targets=false" >> "$GITHUB_OUTPUT"
@@ -56,9 +79,17 @@ jobs:
5679
echo "matrix=$ALL_TYPES" >> "$GITHUB_OUTPUT"
5780
echo "has_targets=true" >> "$GITHUB_OUTPUT"
5881
elif echo "$LABELS" | jq -e '[.[] | select(startswith("deploy:"))] | length > 0' > /dev/null 2>&1; then
59-
TYPES=$(echo "$LABELS" | jq -c '[.[] | select(startswith("deploy:")) | ltrimstr("deploy:")]')
60-
echo "matrix=$TYPES" >> "$GITHUB_OUTPUT"
61-
echo "has_targets=true" >> "$GITHUB_OUTPUT"
82+
RAW_TYPES=$(echo "$LABELS" | jq -c '[.[] | select(startswith("deploy:")) | ltrimstr("deploy:")]')
83+
VALIDATED=$(filter_valid_types "$RAW_TYPES")
84+
COUNT=$(echo "$VALIDATED" | jq 'length')
85+
if [[ "$COUNT" -gt 0 ]]; then
86+
echo "matrix=$VALIDATED" >> "$GITHUB_OUTPUT"
87+
echo "has_targets=true" >> "$GITHUB_OUTPUT"
88+
else
89+
echo "::warning::All deploy:<type> labels were invalid"
90+
echo "matrix=[]" >> "$GITHUB_OUTPUT"
91+
echo "has_targets=false" >> "$GITHUB_OUTPUT"
92+
fi
6293
elif echo "$LABELS" | jq -e 'index("deploy")' > /dev/null 2>&1; then
6394
echo "matrix=$ALL_TYPES" >> "$GITHUB_OUTPUT"
6495
echo "has_targets=true" >> "$GITHUB_OUTPUT"
@@ -68,7 +99,11 @@ jobs:
6899
fi
69100
;;
70101
*)
71-
# Specific compute_type from push-to-main or workflow_dispatch
102+
if ! validate_compute_type "$INTENT"; then
103+
echo "matrix=[]" >> "$GITHUB_OUTPUT"
104+
echo "has_targets=false" >> "$GITHUB_OUTPUT"
105+
exit 1
106+
fi
72107
echo "matrix=[\"$INTENT\"]" >> "$GITHUB_OUTPUT"
73108
echo "has_targets=true" >> "$GITHUB_OUTPUT"
74109
;;

0 commit comments

Comments
 (0)