From f19bbe182e9d081bbb35dadd4bf012e3254b338b Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Tue, 22 Oct 2024 10:52:43 +0200 Subject: [PATCH] workflows: fix usage of untrusted input in check links A user could create a branch with a particular name that would trigger a command injection because we use this input directly in the shell scripts generation. See more details in https://securitylab.github.com/resources/github-actions-untrusted-input/. This also updates the lychee action that no longer need an explicit GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the permissions needed by the token in both check links workflows. Reported-by: Piergiorgio Ladisa Signed-off-by: Mahe Tardy --- .github/workflows/build-images-ci.yml | 4 +++- .github/workflows/check-links-cron.yaml | 6 +++--- .github/workflows/check-links-pr.yaml | 13 ++++++------- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-images-ci.yml b/.github/workflows/build-images-ci.yml index b2bacda94e9..9436b351413 100644 --- a/.github/workflows/build-images-ci.yml +++ b/.github/workflows/build-images-ci.yml @@ -56,6 +56,8 @@ jobs: - name: Getting image tag id: tag + env: + REF_NAME: ${{ github.ref_name }} run: | if [ ${{ github.event.pull_request.head.sha }} != "" ]; then echo "tag=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT @@ -66,7 +68,7 @@ jobs: if [ ${{ github.ref_name }} == "main" ]; then echo "name=latest" | tee -a $GITHUB_OUTPUT else - echo "name=${{ github.ref_name }}" | tee -a $GITHUB_OUTPUT + echo "name=$REF_NAME" | tee -a $GITHUB_OUTPUT fi fi diff --git a/.github/workflows/check-links-cron.yaml b/.github/workflows/check-links-cron.yaml index ba45d655816..c214a924cdc 100644 --- a/.github/workflows/check-links-cron.yaml +++ b/.github/workflows/check-links-cron.yaml @@ -13,6 +13,8 @@ jobs: env: ISSUE_NAME: 'Documentation: broken links automatic report' runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -21,9 +23,7 @@ jobs: - name: Links Checker id: lychee - uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0 - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2 with: args: --config .github/lychee.toml --base https://tetragon.io docs/content README.md diff --git a/.github/workflows/check-links-pr.yaml b/.github/workflows/check-links-pr.yaml index e8f529a3aea..ffb15c4f926 100644 --- a/.github/workflows/check-links-pr.yaml +++ b/.github/workflows/check-links-pr.yaml @@ -12,6 +12,7 @@ on: jobs: links-checker: runs-on: ubuntu-latest + permissions: {} # lychee uses the GITHUB_TOKEN for authentication only env: PATCH_FILE: "additions.patch" steps: @@ -28,10 +29,10 @@ jobs: - name: Retrieve additions and replace GitHub main links with local branch shell: bash + env: + REPO: ${{ github.event.pull_request.head.repo.full_name }} + BRANCH: ${{ github.event.pull_request.head.ref }} run: | - REPO=${{ github.event.pull_request.head.repo.full_name }} - BRANCH=${{ github.event.pull_request.head.ref }} - git diff -U0 origin/${{ github.base_ref }} -- docs/content README.md | { grep ^\+[^+] || true; } > $PATCH_FILE sed -i "s#/cilium/tetragon/tree/main#/$REPO/tree/$BRANCH#g" $PATCH_FILE @@ -57,9 +58,7 @@ jobs: - name: Check new links id: lychee - uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0 - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2 with: args: --config .github/lychee.toml --base http://localhost:1313 $PATCH_FILE - fail: true + failIfEmpty: false # this can happen as we are checking diffs