Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY ISSUE: using * in message causes listing of circleci project root directory into notification #265

Closed
williamfalconeruk opened this issue Apr 23, 2021 · 3 comments
Closed

SECURITY ISSUE: using * in message causes listing of circleci project root directory into notification #265

williamfalconeruk opened this issue Apr 23, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@williamfalconeruk
Copy link

williamfalconeruk commented Apr 23, 2021
edited

Orb version:4.4.0

What happened:

Added a commit message with a simple * into a dynamic template section e.g.

{
    "blocks": [],
    "attachments":
    [
        {
            "color": "#508c18",
            "blocks":
            [
                {
                    "type": "header",
                    "text": {
                    "type": "plain_text",
                    "text": "Online LPA Development Environment Ready",
                    "emoji": false
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "public facing url: <https://${PUBLIC_FACING_DOMAIN}/home>"
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "front url: <https://${FRONT_DOMAIN}>"
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "admin url: <https://${ADMIN_DOMAIN}>"
                    }
                },
                {
                    "type": "context",
                    "elements":
                    [
                        {
                            "type": "mrkdwn",
                            "text": "commit. message: ${COMMIT_MESSAGE}"
                        }
                    ]
                }
            ]
        }
    ]
}

generates:

{
    "blocks": [],
    "attachments":
    [
        {
            "color": "#508c18",
            "blocks":
            [
                {
                    "type": "header",
                    "text": {
                    "type": "plain_text",
                    "text": "Online LPA Development Environment Ready",
                    "emoji": false
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "public facing url: <https://${PUBLIC_FACING_DOMAIN}/home>"
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "front url: <https://${FRONT_DOMAIN}>"
                    }
                },
                {
                    "type": "section",
                    "text": {
                    "type": "mrkdwn",
                    "text": "admin url: <https://${ADMIN_DOMAIN}>"
                    }
                },
                {
                    "type": "context",
                    "elements":
                    [
                        {
                            "type": "mrkdwn",
                            "text": "commit message: *"
                        }
                    ]
                }
            ]
        }
    ]
}
  • Run orb
  • The commit message lists the contents of the root of the ~/project directory in the message. details not provided for security reasons.

see : https://app.circleci.com/pipelines/github/ministryofjustice/opg-lpa/3727/workflows/58a73bf3-1282-4bce-9e99-52d9871efe30

Expected behavior:

it should show * as the notification content, not the directory contents.

Additional Information:
@williamfalconeruk williamfalconeruk added the bug Something isn't working label Apr 23, 2021
@klsetzer
Copy link

Is it possible to write Orbs in a different language? Writing secure code in shell is a mess.

@williamfalconeruk
Copy link
Author

williamfalconeruk commented Apr 23, 2021
edited

Is it possible to write Orbs in a different language? Writing secure code in shell is a mess.

I'm not exactly sure of this, we were having the same conversation internally just now about it. It would certainly be helpful. I guess you could write the orb to call some compiled go code or python for example, but not sure.

@williamfalconeruk williamfalconeruk mentioned this issue Aug 24, 2021
Closed
@EricRibeiro EricRibeiro mentioned this issue Nov 15, 2022
Closed
@EricRibeiro
Copy link
Contributor

I couldn't replicate this in the latest version of the orb. I tried using the template provided above with * as the commit message. I'm populating COMMIT_MESSAGE in the following way:

echo 'export COMMIT_MESSAGE="$(git log --format=oneline -n 1 "$CIRCLE_SHA1")"' >> "$BASH_ENV"

I'll close the issue, but I'm happy to re-open it if the problem persists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: escape * in environment variables CircleCI-Public/slack-orb
3 participants
@klsetzer @williamfalconeruk @EricRibeiro