harden against RCE

Author: dmcilvaney

.github/workflows/check-rendered-specs.yml

@@ -31,10 +31,17 @@ on:
 
 permissions: {}
 
+# Belt-and-suspenders: the stub also sets concurrency, but keep it here so the
+# contract survives refactoring / direct invocation.
+concurrency:
+  group: render-check-${{ inputs.repo }}-${{ inputs.pr-number }}
+  cancel-in-progress: true
+
 jobs:
   check:
     name: Rendered specs freshness
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     permissions:
       contents: read
       pull-requests: write # Post/update/delete drift comments on PRs
@@ -78,64 +85,64 @@ jobs:
             -f .github/workflows/containers/render.Dockerfile \
             .github/workflows/containers/
 
-      # Render runs inside a container with SYS_ADMIN capability because mock
-      # needs mount namespaces for chroot operations. We avoid --privileged to
-      # limit the blast radius if a malicious spec's %() macro achieves code
-      # execution inside the container. Only the PR checkout is mounted (not
-      # the full workspace) — the trusted base checkout where our scripts live
-      # is not accessible. The azldev binary is mounted read-only.
+      # Render + drift-check run entirely inside the container. The host never
+      # invokes git against PR data: all git operations happen in the sandboxed
+      # environment, and the host only reads two trusted-shape outputs
+      # (report.json, rendered-specs.patch) from a dedicated output volume.
+      # This dodges the whole class of poisoned-.git/config attacks
+      # (diff.external, diff drivers, filter drivers, hooks, etc.).
       #
-      # NOTE: --security-opt no-new-privileges would be ideal but mock's
-      # userhelper requires setuid, which that flag blocks.
-      - name: Render specs
+      # SYS_ADMIN is needed for mock (mount namespaces for chroot). We avoid
+      # --privileged to limit blast radius. --security-opt no-new-privileges
+      # would be nice but mock's userhelper requires setuid, which that blocks.
+      - name: Render + check for drift
+        id: check
+        continue-on-error: true # TODO: flip off once check stabilizes (see PR #16674)
         env:
           WORKSPACE: ${{ github.workspace }}
         run: |
-          set -o pipefail
+          set -euo pipefail
+          mkdir -p "$WORKSPACE/render-output"
           docker run --rm \
             --cap-add=SYS_ADMIN \
             --security-opt seccomp=unconfined \
             -v "$WORKSPACE/pr-head:/workdir" \
+            -v "$WORKSPACE/render-output:/output" \
+            -v "$WORKSPACE/.github/workflows/scripts:/scripts:ro" \
             -v "$(go env GOPATH)/bin:/gobin:ro" \
             -e PATH="/gobin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
             localhost/azldev-render \
-            azldev component render -q -a --clean-stale -O json \
-            | tee render-output.json
-
-      - name: Resolve specs directory
-        id: specs-dir
-        run: |
-          SPECS_DIR=$(azldev -C pr-head config dump -q | grep 'rendered-specs-dir' | cut -d"'" -f2)
-          echo "path=$SPECS_DIR" >> "$GITHUB_OUTPUT"
-
-      - name: Check for drift
-        id: check
-        continue-on-error: true # Non-blocking while the feature stabilizes
-        env:
-          SPECS_DIR: ${{ steps.specs-dir.outputs.path }}
-        run: |
-          cd pr-head
-          python -I "$GITHUB_WORKSPACE/.github/workflows/scripts/check_rendered_specs.py" \
-            --specs-dir "$SPECS_DIR" \
-            --report "$GITHUB_WORKSPACE/render-check-report.json" \
-            --patch "$GITHUB_WORKSPACE/rendered-specs.patch"
+            bash -eu -o pipefail -c '
+              azldev component render -q -a --clean-stale -O json \
+                > /output/render-output.json
+              SPECS_DIR=$(azldev config dump -q -f json \
+                | python3 -c "import json,sys; print(json.load(sys.stdin)[\"project\"][\"renderedSpecsDir\"])")
+              python3 /scripts/check_rendered_specs.py \
+                --specs-dir "$SPECS_DIR" \
+                --report /output/render-check-report.json \
+                --patch /output/rendered-specs.patch
+            '
 
-      - name: Upload fix patch
+      # Dual upload: `archive: false` (v7 feature) gives browser users a direct
+      # download of the raw patch (artifact name is derived from the filename,
+      # so `name:` is ignored here — that's why we need the second upload).
+      # The zipped `rendered-specs-patch` artifact is for `gh run download`,
+      # which only works with named artifacts.
+      - name: Upload fix patch (unzipped, for browser download)
         id: upload-patch
-        if: hashFiles('rendered-specs.patch') != ''
+        if: hashFiles('render-output/rendered-specs.patch') != ''
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
-          path: rendered-specs.patch
+          path: render-output/rendered-specs.patch
           archive: false
 
-      # Also upload as a zipped artifact so `gh run download` works.
-      # See: https://github.com/cli/cli/issues/13012
-      - name: Upload fix patch (for gh cli)
-        if: hashFiles('rendered-specs.patch') != ''
+      # See: https://github.com/cli/cli/issues/13012 for why this is needed.
+      - name: Upload fix patch (zipped, for gh run download)
+        if: hashFiles('render-output/rendered-specs.patch') != ''
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: rendered-specs-patch
-          path: rendered-specs.patch
+          path: render-output/rendered-specs.patch
 
       - name: Post PR comment
         if: always()
@@ -147,10 +154,10 @@ jobs:
           PATCH_URL: ${{ steps.upload-patch.outputs.artifact-url }}
           RUN_ID: ${{ github.run_id }}
         run: |
-          python -I .github/workflows/scripts/post_render_comment.py \
+          python .github/workflows/scripts/post_render_comment.py \
             --repo "$PR_REPO" \
             --pr "$PR_NUMBER" \
-            --report render-check-report.json \
+            --report render-output/render-check-report.json \
             --artifacts-url "$PATCH_URL" \
             --run-id "$RUN_ID"
 
@@ -160,4 +167,5 @@ jobs:
         with:
           name: render-output
           path: |
-            render-output.json
+            render-output/render-output.json
+            render-output/render-check-report.json

.github/workflows/scripts/check_rendered_specs.py

@@ -2,13 +2,15 @@
 """
 Check rendered specs for drift.
 
-Compares the committed specs tree against the working tree (after
-`azldev component render -a` has been run) and reports meaningful differences,
-filtering out changelog-timestamp noise.
+Runs inside the render container: compares the committed specs tree against
+the working tree (after `azldev component render -a` has been run) and writes
+a JSON report and a git patch to the mounted output volume. The host never
+invokes git against PR data, so this script runs in a trusted environment
+and doesn't need host-side hardening against poisoned .git/config.
 
 Usage:
-    python check_rendered_specs.py --specs-dir specs
-    python check_rendered_specs.py --specs-dir specs --report report.json --patch fix.patch
+    python3 check_rendered_specs.py --specs-dir specs
+    python3 check_rendered_specs.py --specs-dir specs --report report.json --patch fix.patch
 
 Exit codes:
     0 — specs are up to date (timestamp-only noise filtered)
@@ -32,26 +34,29 @@
 # ---------------------------------------------------------------------------
 
 # Matches the azldev-generated changelog line.
+# Tightly coupled to the format emitted by azldev's render pipeline; if azldev
+# ever changes the emitted form (email suffix, version tag, different
+# whitespace) this regex must be updated or every spec will look like drift.
+# Owner: azure-linux-dev-tools (cmd that emits "* <date> azldev <>" lines).
 # e.g. "* Wed Apr 08 2026 azldev <> - 1.0-1"
 _CHANGELOG_DATE_RE = re.compile(
-    r"^\* [A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]{2} [0-9]{4} azldev "
+    r"^\* [A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]{2} [0-9]{4} azldev\b"
 )
 
 # ---------------------------------------------------------------------------
 # Git helpers
 # ---------------------------------------------------------------------------
 
 
-def _git(*args: str) -> str:
-    """Run a git command and return stdout."""
-    return subprocess.run(
-        ["git", *args], capture_output=True, text=True, check=True
-    ).stdout
+def _git_bytes(*args: str) -> bytes:
+    """Run a git command and return stdout (bytes)."""
+    return subprocess.run(["git", *args], capture_output=True, check=True).stdout
 
 
-def _git_lines(*args: str) -> list[str]:
-    """Run a git command and return non-empty output lines."""
-    return [line for line in _git(*args).splitlines() if line]
+def _git_lines_z(*args: str) -> list[str]:
+    """Run a git command with -z-compatible args and return NUL-split lines."""
+    out = _git_bytes(*args)
+    return [p.decode("utf-8") for p in out.split(b"\x00") if p]
 
 
 # ---------------------------------------------------------------------------
@@ -64,7 +69,7 @@ def normalize_changelog_date(text: str) -> str:
     out: list[str] = []
     for line in text.splitlines(keepends=True):
         if _CHANGELOG_DATE_RE.match(line):
-            line = _CHANGELOG_DATE_RE.sub("* DATEPLACEHOLDER azldev ", line)
+            line = _CHANGELOG_DATE_RE.sub("* DATEPLACEHOLDER azldev", line)
         out.append(line)
     return "".join(out)
 
@@ -89,11 +94,24 @@ def classify_changes(specs_dir: Path) -> tuple[list[str], list[str], list[str]]:
 
     The three lists are disjoint: changed contains only modified files,
     missing contains only deleted files, and extra contains untracked files.
+
+    Untracked enumeration deliberately does NOT honor `.gitignore` — a
+    malicious PR could otherwise commit a `.gitignore` under specs_dir to
+    hide newly rendered files and make the check green. We also drop any
+    `.gitignore`/`.gitattributes` files found under specs_dir since they
+    have no business in a rendered-output tree.
     """
     sd = str(specs_dir)
-    changed = _git_lines("diff", "--diff-filter=M", "--name-only", "--", sd)
-    extra = _git_lines("ls-files", "--others", "--exclude-standard", "--", sd)
-    missing = _git_lines("ls-files", "--deleted", "--", sd)
+    changed = _git_lines_z("diff", "-z", "--diff-filter=M", "--name-only", "--", sd)
+    # No --exclude-standard: list ALL untracked files so a PR-committed
+    # .gitignore under specs_dir can't hide drift.
+    extra_raw = _git_lines_z("ls-files", "-z", "--others", "--", sd)
+    missing = _git_lines_z("ls-files", "-z", "--deleted", "--", sd)
+    # Filter out .gitignore / .gitattributes anywhere under specs_dir — they
+    # shouldn't be in rendered output and shouldn't influence our enumeration.
+    extra = [
+        p for p in extra_raw if Path(p).name not in (".gitignore", ".gitattributes")
+    ]
     return changed, extra, missing
 
 
@@ -108,14 +126,30 @@ def filter_timestamp_noise(changed_files: list[str], specs_dir: Path) -> list[di
         file_path = Path(path_str)
         is_spec = file_path.suffix == ".spec"
 
+        # Symlinks in a rendered-output tree are suspicious (could point
+        # anywhere on the runner's filesystem). Flag and skip content reads.
+        if file_path.is_symlink():
+            print(
+                f"::warning::Symlink in rendered-specs tree, treated as drift: {path_str}",
+                file=sys.stderr,
+            )
+            real_diffs.append(
+                {
+                    "path": path_str,
+                    "component": component_from_path(path_str),
+                    "diff": f"Symlink {path_str} — refusing to follow",
+                }
+            )
+            continue
+
         # Read committed version — use bytes to handle binary files
         try:
-            committed_bytes = subprocess.run(
-                ["git", "show", f"HEAD:{path_str}"],
-                capture_output=True,
-                check=True,
-            ).stdout
-        except subprocess.CalledProcessError:
+            committed_bytes = _git_bytes("show", f"HEAD:{path_str}")
+        except subprocess.CalledProcessError as exc:
+            print(
+                f"::warning::git show HEAD:{path_str} failed: {exc}",
+                file=sys.stderr,
+            )
             continue
 
         # Try to decode as UTF-8; if it fails, it's binary — always a real diff
@@ -131,9 +165,26 @@ def filter_timestamp_noise(changed_files: list[str], specs_dir: Path) -> list[di
             )
             continue
 
+        # Read working tree; use O_NOFOLLOW-equivalent guard above (is_symlink),
+        # and strict decode so true binaries route through the binary branch.
         try:
-            working = file_path.read_text(encoding="utf-8", errors="replace")
+            working_bytes = file_path.read_bytes()
         except FileNotFoundError:
+            print(
+                f"::warning::working tree file missing during read: {path_str}",
+                file=sys.stderr,
+            )
+            continue
+        try:
+            working = working_bytes.decode("utf-8")
+        except UnicodeDecodeError:
+            real_diffs.append(
+                {
+                    "path": path_str,
+                    "component": component_from_path(path_str),
+                    "diff": f"Binary file {path_str} differs",
+                }
+            )
             continue
 
         if is_spec:
@@ -228,53 +279,54 @@ def generate_patch(
     if not paths:
         return b""
 
-    # Write paths to temp files outside CWD (which may be an untrusted
-    # PR checkout where symlinks could redirect writes).
     pathspec_fd, pathspec_path = tempfile.mkstemp(prefix="render-check-", suffix=".txt")
     with os.fdopen(pathspec_fd, "w") as f:
         f.write("\n".join(paths))
 
-    # Mark untracked files as intent-to-add so git diff includes them
-    extra_pathspec_path = None
-    if extra_files:
-        extra_fd, extra_pathspec_path = tempfile.mkstemp(
-            prefix="render-check-extra-", suffix=".txt"
-        )
-        with os.fdopen(extra_fd, "w") as f:
-            f.write("\n".join(extra_files))
-        try:
+    extra_pathspec_path: str | None = None
+    try:
+        # Mark untracked files as intent-to-add so git diff includes them
+        if extra_files:
+            extra_fd, extra_pathspec_path = tempfile.mkstemp(
+                prefix="render-check-extra-", suffix=".txt"
+            )
+            with os.fdopen(extra_fd, "w") as f:
+                f.write("\n".join(extra_files))
             subprocess.run(
                 ["git", "add", "-N", "--pathspec-from-file", extra_pathspec_path],
                 check=True,
                 capture_output=True,
             )
-        except subprocess.CalledProcessError:
-            pass
 
-    try:
-        result = subprocess.run(
-            ["git", "diff", "--pathspec-from-file", pathspec_path],
-            capture_output=True,
-            check=True,
-        )
-        patch = result.stdout
-    except subprocess.CalledProcessError:
-        patch = b""
-    finally:
-        Path(pathspec_path).unlink(missing_ok=True)
-
-    # Undo the intent-to-add so we don't leave index dirty
-    if extra_pathspec_path:
         try:
-            subprocess.run(
-                ["git", "reset", "--pathspec-from-file", extra_pathspec_path],
-                check=True,
+            result = subprocess.run(
+                ["git", "diff", "--pathspec-from-file", pathspec_path],
                 capture_output=True,
+                check=True,
+            )
+            patch = result.stdout
+        except subprocess.CalledProcessError as exc:
+            print(
+                f"::warning::git diff failed while generating patch: {exc}",
+                file=sys.stderr,
             )
-        except subprocess.CalledProcessError:
-            pass
-        finally:
-            Path(extra_pathspec_path).unlink(missing_ok=True)
+            patch = b""
+    finally:
+        Path(pathspec_path).unlink(missing_ok=True)
+        if extra_pathspec_path:
+            try:
+                subprocess.run(
+                    ["git", "reset", "--pathspec-from-file", extra_pathspec_path],
+                    check=True,
+                    capture_output=True,
+                )
+            except subprocess.CalledProcessError as exc:
+                print(
+                    f"::warning::git reset (undo intent-to-add) failed: {exc}",
+                    file=sys.stderr,
+                )
+            finally:
+                Path(extra_pathspec_path).unlink(missing_ok=True)
 
     return patch