From bdb770a0aa4f40b7e6ff0ec3403fe63fee2d9bfa Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Tue, 21 Dec 2021 21:46:09 +1300 Subject: [PATCH] ci(fix): Do not trust user controlled input (#2337) The prepare workflow runs in an untrusted context already and thus should not have anything worthwhile to exploit. However care should still be taken to avoid interpolating expressions into shell scripts directly that is data a user can control the value of. Especially to avoid any maintainer referencing an existing workflow from copying a risky snippet unaware of different security contexts for workflows. In this case, as per Github Documentation and referenced issue comment, the PR title is user controllable data, which if directly interpolated into the shell script being run (as it previously was), allows for injecting commands to execute. --- .github/workflows/docs-preview-prepare.yml | 9 +++++++-- .github/workflows/docs-production-deploy.yml | 6 +++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docs-preview-prepare.yml b/.github/workflows/docs-preview-prepare.yml index 74276fba..ffeb783e 100644 --- a/.github/workflows/docs-preview-prepare.yml +++ b/.github/workflows/docs-preview-prepare.yml @@ -26,7 +26,7 @@ jobs: NETLIFY_SITE_PREFIX: pullrequest-${{ github.event.pull_request.number }} NETLIFY_SITE_NAME: dms-doc-previews steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v2.4.0 - name: 'Build with mkdocs-material via Docker' working-directory: docs @@ -53,12 +53,17 @@ jobs: # Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd). # Bundles build dir and env file into a compressed archive, nested file paths will be preserved. - name: 'Prepare artifact for transfer' + env: + # As a precaution, reference this value by an interpolated ENV var; + # instead of interpolating user controllable input directly in the shell script.. + # https://github.com/docker-mailserver/docker-mailserver/issues/2332#issuecomment-998326798 + PR_TITLE: ${{ github.event.pull_request.title }} run: | # Save ENV for transfer { echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}" echo "PR_NUMBER=${{ github.event.pull_request.number }}" - echo "PR_TITLE=${{ github.event.pull_request.title }}" + echo "PR_TITLE=${PR_TITLE}" echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}" echo "BUILD_DIR=${{ env.BUILD_DIR }}" } >> pr.env diff --git a/.github/workflows/docs-production-deploy.yml b/.github/workflows/docs-production-deploy.yml index 539e4526..cb1aaa01 100644 --- a/.github/workflows/docs-production-deploy.yml +++ b/.github/workflows/docs-production-deploy.yml @@ -26,7 +26,7 @@ jobs: name: 'Deploy Docs' runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v2.4.0 - name: 'Check if deploy is for a `v.` tag version instead of `edge`' if: startsWith(github.ref, 'refs/tags/') @@ -75,10 +75,10 @@ jobs: needs: deploy steps: - name: 'Checkout the tagged commit (shallow clone)' - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v2.4.0 - name: 'Checkout the docs deployment branch to a subdirectory' - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v2.4.0 with: ref: gh-pages path: gh-pages