fix(security): harden GitHub Actions workflows against expression injection (#121)

Move `${{ }}` expressions from `run:` blocks into step-level `env: blocks`,
then reference them as properly-quoted shell variables.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>

Author: mnencia

.github/workflows/build-commitfest.yml

@@ -38,14 +38,18 @@ jobs:
 
     # Inputs have priority over defaults.json.
     - name: Evaluate E2E workflow inputs
+      env:
+        INPUT_MAJOR_VERSION: ${{ github.event.inputs.major_version }}
       run: |
-        if [[ -n "${{ github.event.inputs.major_version }}" ]]; then
-          echo "PG_MAJOR=${{ github.event.inputs.major_version }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_MAJOR_VERSION}" ]]; then
+          echo "PG_MAJOR=${INPUT_MAJOR_VERSION}" >> $GITHUB_ENV
         fi
 
     - name: Set commitfest branch and tag
+      env:
+        INPUT_PATCH_ID: ${{ github.event.inputs.patch_id }}
       run: |
-        BRANCH="cf/${{ github.event.inputs.patch_id }}"
+        BRANCH="cf/${INPUT_PATCH_ID}"
         TAG="${BRANCH////-}"
         echo "TAG=${TAG}" >> $GITHUB_ENV
         echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
@@ -80,8 +84,10 @@ jobs:
     # Get a list of the images that were built and pushed.
     - name: Generated images
       id: images
+      env:
+        BUILD_METADATA: ${{ steps.build.outputs.metadata }}
       run: |
-        IMAGES="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[]."image.name"')"
+        IMAGES="$(echo "${BUILD_METADATA}" | jq -r '.[]."image.name"')"
         {
           echo 'IMAGES<<EOF'
           echo "${IMAGES}"
@@ -95,10 +101,13 @@ jobs:
       - build-pg
     steps:
       - name: Output summary
+        env:
+          INPUT_PATCH_ID: ${{ github.event.inputs.patch_id }}
+          BUILD_PG_IMAGES: ${{ needs.build-pg.outputs.images }}
         run: |
-          commitFestPatchID=${{ github.event.inputs.patch_id }}
+          commitFestPatchID="${INPUT_PATCH_ID}"
           commitFestURL="https://commitfest.postgresql.org/patch/${commitFestPatchID}"
-          images="${{ needs.build-pg.outputs.images }}"
+          images="${BUILD_PG_IMAGES}"
           images_list="$(echo $images | tr ' ' '\n' | sed 's/^/https:\/\//')"
           minimalImage="$(echo $images | tr ' ' '\n' | grep minimal)"
 

.github/workflows/build.yml

@@ -44,9 +44,11 @@ jobs:
 
     # Inputs have priority over defaults.json.
     - name: Evaluate E2E workflow inputs
+      env:
+        INPUT_MAJOR_VERSION: ${{ github.event.inputs.major_version }}
       run: |
-        if [[ -n "${{ github.event.inputs.major_version }}" ]]; then
-          echo "PG_MAJOR=${{ github.event.inputs.major_version }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_MAJOR_VERSION}" ]]; then
+          echo "PG_MAJOR=${INPUT_MAJOR_VERSION}" >> $GITHUB_ENV
         fi
 
     - name: Log in to the GitHub Container registry
@@ -79,8 +81,10 @@ jobs:
     # Get a list of the images that were built and pushed.
     - name: Generated images
       id: images
+      env:
+        BUILD_METADATA: ${{ steps.build.outputs.metadata }}
       run: |
-        IMAGES="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.[]."image.name"')"
+        IMAGES="$(echo "${BUILD_METADATA}" | jq -r '.[]."image.name"')"
         {
           echo 'IMAGES<<EOF'
           echo "${IMAGES}"
@@ -94,9 +98,12 @@ jobs:
       - build-pg
     steps:
       - name: Output summary
+        env:
+          BUILD_PG_MAJOR: ${{ needs.build-pg.outputs.pg_major }}
+          BUILD_PG_IMAGES: ${{ needs.build-pg.outputs.images }}
         run: |
-          pg_major="${{ needs.build-pg.outputs.pg_major }}"
-          images="${{ needs.build-pg.outputs.images }}"
+          pg_major="${BUILD_PG_MAJOR}"
+          images="${BUILD_PG_IMAGES}"
           images_list="$(echo $images | tr ' ' '\n' | sed 's/^/https:\/\//')"
           minimalImage="$(echo $images | tr ' ' '\n' | grep minimal)"
 

.github/workflows/continuous-delivery.yml

@@ -46,15 +46,19 @@ jobs:
 
     # Inputs have priority over defaults.json.
     - name: Evaluate E2E workflow inputs
+      env:
+        INPUT_CNPG_BRANCH: ${{ github.event.inputs.cnpg_branch }}
+        INPUT_TEST_DEPTH: ${{ github.event.inputs.test_depth }}
+        INPUT_FEATURE_TYPE: ${{ github.event.inputs.feature_type }}
       run: |
-        if [[ -n "${{ github.event.inputs.cnpg_branch }}" ]]; then
-          echo "CNPG_BRANCH=${{ github.event.inputs.cnpg_branch }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_CNPG_BRANCH}" ]]; then
+          echo "CNPG_BRANCH=${INPUT_CNPG_BRANCH}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.test_depth }}" ]]; then
-          echo "TEST_DEPTH=${{ github.event.inputs.test_depth }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_TEST_DEPTH}" ]]; then
+          echo "TEST_DEPTH=${INPUT_TEST_DEPTH}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.feature_type }}" ]]; then
-          echo "FEATURE_TYPE=${{ github.event.inputs.feature_type }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_FEATURE_TYPE}" ]]; then
+          echo "FEATURE_TYPE=${INPUT_FEATURE_TYPE}" >> $GITHUB_ENV
         fi
 
     - name: Log in to the GitHub Container registry
@@ -81,8 +85,10 @@ jobs:
     # Get a list of the images that were built and pushed. We only care about a single tag for each image.
     - name: Generated images
       id: images
+      env:
+        BUILD_METADATA: ${{ steps.build.outputs.metadata }}
       run: |
-        echo "PG_IMAGE=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.["minimal"].["image.name"]' | grep -oP '[^,]*\d{12}[^,]*')" >> $GITHUB_ENV
+        echo "PG_IMAGE=$(echo "${BUILD_METADATA}" | jq -r '.["minimal"].["image.name"]' | grep -oP '[^,]*\d{12}[^,]*')" >> $GITHUB_ENV
 
   call-reusable-e2e:
     if: github.event_name == 'schedule'

.github/workflows/reusable-e2e.yml

@@ -126,20 +126,23 @@ jobs:
 
       # The version of operator to upgrade FROM, in the rolling upgrade E2E test
       - name: Retag the image to create E2E_PRE_ROLLING_UPDATE_IMG
+        env:
+          INPUT_MAJOR_VERSION: ${{ inputs.major_version }}
+          INPUT_POSTGRES_IMG: ${{ inputs.postgres_img }}
         run: |
-          E2E_PRE_ROLLING_UPDATE_IMG="${{ env.REGISTRY }}:${{ inputs.major_version }}-rolling-upgrade-e2e-${{ github.run_number }}"
-          docker pull ${{ inputs.postgres_img }}
-          docker tag ${{ inputs.postgres_img }} $E2E_PRE_ROLLING_UPDATE_IMG
+          E2E_PRE_ROLLING_UPDATE_IMG="${REGISTRY}:${INPUT_MAJOR_VERSION}-rolling-upgrade-e2e-${GITHUB_RUN_NUMBER}"
+          docker pull "${INPUT_POSTGRES_IMG}"
+          docker tag "${INPUT_POSTGRES_IMG}" $E2E_PRE_ROLLING_UPDATE_IMG
           docker push $E2E_PRE_ROLLING_UPDATE_IMG
           echo "E2E_PRE_ROLLING_UPDATE_IMG=$E2E_PRE_ROLLING_UPDATE_IMG" >> $GITHUB_ENV
 
       - name: Setting up defaults
         run: |
           # Exlude backup/recovery and image-volume tests
-          if [ -z "${{ env.FEATURE_TYPE }}" ]; then
+          if [ -z "${FEATURE_TYPE}" ]; then
             echo "FEATURE_TYPE=!(backup-restore || image-volume-extensions)" >> $GITHUB_ENV
           else
-            echo "FEATURE_TYPE=!(backup-restore || image-volume-extensions) && ${{ env.FEATURE_TYPE }}" >> $GITHUB_ENV
+            echo "FEATURE_TYPE=!(backup-restore || image-volume-extensions) && ${FEATURE_TYPE}" >> $GITHUB_ENV
           fi
 
       - name: Run Kind End-to-End tests
@@ -168,12 +171,12 @@ jobs:
         run: |
           set +x
           python .github/generate-test-artifacts.py \
-            -o testartifacts-${{ env.ID }} \
+            -o "testartifacts-${ID}" \
             -f tests/e2e/out/report.json \
             --environment=true
           if [ -f tests/e2e/out/upgrade_report.json ]; then
             python .github/generate-test-artifacts.py \
-              -o testartifacts-${{ env.ID }} \
+              -o "testartifacts-${ID}" \
               -f tests/e2e/out/upgrade_report.json \
               --environment=true
           fi

.github/workflows/run-e2e-test.yml

@@ -43,21 +43,27 @@ jobs:
 
     # Inputs have priority over defaults.json.
     - name: Evaluate E2E workflow inputs
+      env:
+        INPUT_POSTGRES_IMG: ${{ github.event.inputs.postgres_img }}
+        INPUT_MAJOR_VERSION: ${{ github.event.inputs.major_version }}
+        INPUT_CNPG_BRANCH: ${{ github.event.inputs.cnpg_branch }}
+        INPUT_TEST_DEPTH: ${{ github.event.inputs.test_depth }}
+        INPUT_FEATURE_TYPE: ${{ github.event.inputs.feature_type }}
       run: |
-        if [[ -n "${{ github.event.inputs.postgres_img }}" ]]; then
-          echo "PG_IMAGE=${{ github.event.inputs.postgres_img }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_POSTGRES_IMG}" ]]; then
+          echo "PG_IMAGE=${INPUT_POSTGRES_IMG}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.major_version }}" ]]; then
-          echo "PG_MAJOR=${{ github.event.inputs.major_version }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_MAJOR_VERSION}" ]]; then
+          echo "PG_MAJOR=${INPUT_MAJOR_VERSION}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.cnpg_branch }}" ]]; then
-          echo "CNPG_BRANCH=${{ github.event.inputs.cnpg_branch }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_CNPG_BRANCH}" ]]; then
+          echo "CNPG_BRANCH=${INPUT_CNPG_BRANCH}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.test_depth }}" ]]; then
-          echo "TEST_DEPTH=${{ github.event.inputs.test_depth }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_TEST_DEPTH}" ]]; then
+          echo "TEST_DEPTH=${INPUT_TEST_DEPTH}" >> $GITHUB_ENV
         fi
-        if [[ -n "${{ github.event.inputs.feature_type }}" ]]; then
-          echo "FEATURE_TYPE=${{ github.event.inputs.feature_type }}" >> $GITHUB_ENV
+        if [[ -n "${INPUT_FEATURE_TYPE}" ]]; then
+          echo "FEATURE_TYPE=${INPUT_FEATURE_TYPE}" >> $GITHUB_ENV
         fi
 
   call-reusable-e2e: