From 324ff12a1e3b69d9c9f586a51b8bf3f2c8067109 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 15 Aug 2023 19:25:21 +0100 Subject: [PATCH] feat: Add directory input to Maven builder (#2538) Adds another `input` for the Maven builder to allow the user to specify the project directory. The current problem this solves is to make https://github.com/slsa-framework/example-package/pull/253 work. This was suggested by @laurentsimon in https://github.com/slsa-framework/example-package/pull/253#discussion_r1282455298 --------- Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Signed-off-by: AdamKorcz Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .github/workflows/builder_maven_slsa3.yml | 5 ++++ internal/builders/maven/action.yml | 29 +++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/.github/workflows/builder_maven_slsa3.yml b/.github/workflows/builder_maven_slsa3.yml index b604ca2d5c..8e2b580615 100644 --- a/.github/workflows/builder_maven_slsa3.yml +++ b/.github/workflows/builder_maven_slsa3.yml @@ -27,6 +27,11 @@ on: required: false default: 17 type: number + directory: + description: "Sub-directory to launch the build from. Must be under the workspace. Relative from the root of the file directory when invoking the builder." + required: false + type: string + default: "." outputs: provenance-name: diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 7ad4441cca..ab61e29c4d 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -68,12 +68,41 @@ runs: shell: bash env: SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }} + UNTRUSTED_PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }} run: | + # Ensure no directory traversal. + # NOTE: the actions/download-artifact Action only creates files + # in the workspace directory, but this may change in the future. + # TODO(#1893): Consolidate directory traversal checks + validate_path() { + untrusted_path=$1 + resolved_dir=$(readlink -m "$untrusted_path") + wd=$(readlink -m "${GITHUB_WORKSPACE}") + if [[ "${resolved_dir}" != "${wd}"/* ]] && [[ "${resolved_dir}" != "${wd}" ]]; then + if [[ "${RUNNER_TEMP}" != "" ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}"/* ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}" ]]; then + if [[ "${resolved_dir}" != /tmp/* ]] && [[ "${resolved_dir}" != "/tmp" ]]; then + echo "Path is not in the workspace or temp directory: $untrusted_path" + exit 1 + fi + fi + fi + } + + validate_path "${UNTRUSTED_PROJECT_ROOT}" + + # remove trailing "/"'s with `realpath` + project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}") + mv ./__BUILDER_CHECKOUT_DIR__ ../__BUILDER_CHECKOUT_DIR__ \ && cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \ && mvn clean install \ && cd - \ + && cd "${project_root}" \ && mvn package -Drun.hash.jarfile=true + # NOTE: SLSA_OUTPUTS_ARTIFACTS_FILE is a relative path and the project_root may + # not be in GITHUB_WORKSPACE, so we need to move the file. + mv $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") "${GITHUB_WORKSPACE}/../" + mv target "${GITHUB_WORKSPACE}/" - name: Upload target id: upload-target uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main