Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(actions): prevent command injection in GHA workflow (WPB-9709) #17620

Merged
merged 1 commit into from
Aug 7, 2024
Merged

fix(actions): prevent command injection in GHA workflow (WPB-9709) #17620

merged 1 commit into from
Aug 7, 2024

Conversation

lwille
Copy link
Contributor

@lwille lwille commented Jun 19, 2024
edited by jira bot
Loading

Description

It was possible to run arbitrary commands in the context of the GitHub Actions workflow by using an unsanitized user input (env) in a run step.

As a best practice, we shall try to sanitize any user input, which can be done by passing it through an env var.

References

Checklist

  • PR has been self reviewed by the author;
TaskWPB-9709 Fix GHA pipeline command injection vulnerabilities

@lwille lwille requested review from otto-the-bot and a team as code owners June 19, 2024 17:35
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 19, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@lwille lwille force-pushed the WPB-9709-fix-gha-cmd-injection branch 2 times, most recently from 7268ced to 1dae6e7 Compare August 5, 2024 14:46
@lwille lwille added security Pull requests that address a security vulnerability type: chore 🧹 and removed type: bug / fix 🐞 labels Aug 5, 2024
@lwille lwille requested review from a team and removed request for a team August 7, 2024 13:23
@lwille
fix(actions): prevent command injection in deploy workflow
fbf3b16 
It was possible to run arbitrary commands in the context of the GitHub Actions workflow
by using an unsanitized user input (`env`) in a run step.

As a best practice, we shall try to sanitize any user input.
related to WPB-9709
@lwille lwille force-pushed the WPB-9709-fix-gha-cmd-injection branch from 1dae6e7 to fbf3b16 Compare August 7, 2024 13:34
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 7, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 46.59%. Comparing base (84b89bd) to head (fbf3b16).
Report is 2 commits behind head on dev.

Additional details and impacted files 
@@            Coverage Diff             @@
##              dev   #17620      +/-   ##
==========================================
+ Coverage   46.58%   46.59%   +0.01%     
==========================================
  Files         781      781              
  Lines       25158    25161       +3     
  Branches     5753     5756       +3     
==========================================
+ Hits        11719    11723       +4     
  Misses      11964    11964              
+ Partials     1475     1474       -1

@tlebon tlebon merged commit 5d2dbae into dev Aug 7, 2024
13 checks passed
@tlebon tlebon deleted the WPB-9709-fix-gha-cmd-injection branch August 7, 2024 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tlebon tlebon tlebon approved these changes

@otto-the-bot otto-the-bot Awaiting requested review from otto-the-bot otto-the-bot is a code owner

Assignees
No one assigned
Labels
comp: infrastructure security Pull requests that address a security vulnerability 👕 size: XS type: bug / fix 🐞
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lwille @codecov-commenter @tlebon @otto-the-bot