Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(node): security vulnerability in rebuild-bot (#602)
To address a security issue, the `@projen rebuild` workflow will no longer be triggered by a comment on the pull request. This commit removes the `issue_comment` trigger from rebuild-bot workflow so that this workflow can only be executed manually by administrators.

Additional details will be provided at a future date.
  • Loading branch information
eladb committed Mar 9, 2021
1 parent 284d916 commit 36030c6
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 12 deletions.
3 changes: 0 additions & 3 deletions .github/workflows/rebuild-bot.yml
Expand Up @@ -2,9 +2,6 @@

name: rebuild-bot
on:
issue_comment:
types:
- created
workflow_dispatch: {}
jobs:
build:
Expand Down
6 changes: 0 additions & 6 deletions src/__tests__/__snapshots__/integ.test.ts.snap
Expand Up @@ -317,9 +317,6 @@ jobs:
name: rebuild-bot
on:
issue_comment:
types:
- created
workflow_dispatch: {}
jobs:
build:
Expand Down Expand Up @@ -4206,9 +4203,6 @@ jobs:
name: rebuild-bot
on:
issue_comment:
types:
- created
workflow_dispatch: {}
jobs:
build:
Expand Down
17 changes: 14 additions & 3 deletions src/node-project.ts
Expand Up @@ -881,7 +881,13 @@ export class NodeProject extends Project {

const workflow = github.addWorkflow(name);

workflow.on(options.trigger);
if (options.trigger) {
if (options.trigger.issue_comment) {
throw new Error('"issue_comment" should not be used as a trigger due to a security issue');
}

workflow.on(options.trigger);
}

workflow.on({
workflow_dispatch: {}, // allow manual triggering
Expand Down Expand Up @@ -1041,7 +1047,7 @@ export class NodeProject extends Project {
});

this.createBuildWorkflow('rebuild-bot', {
trigger: { issue_comment: { types: ['created'] } },
// trigger: { issue_comment: { types: ['created'] } }, // <--- disabled due to a security issue
condition: `\${{ github.event.issue.pull_request && contains(github.event.comment.body, '@projen ${command}') }}`,
antitamperDisabled: true, // definitely do not want that

Expand Down Expand Up @@ -1107,7 +1113,12 @@ interface NodeBuildWorkflowOptions {
*/
readonly artifactDirectory?: string;

readonly trigger: { [event: string]: any };
/**
* What should trigger the workflow?
*
* @default - by default workflows can only be triggered by manually.
*/
readonly trigger?: { [event: string]: any };

/**
* Bump a new version for this build.
Expand Down

0 comments on commit 36030c6

Please sign in to comment.