ci: fix expression injection pattern in l10n workflow#2319
Conversation
Welcome to GitGitGadgetHi @XananasX7, and welcome to GitGitGadget, the GitHub App to send patch series to the Git mailing list from GitHub Pull Requests. Please make sure that either:
You can CC potential reviewers by adding a footer to the PR description with the following syntax: NOTE: DO NOT copy/paste your CC list from a previous GGG PR's description, Also, it is a good idea to review the commit messages one last time, as the Git project expects them in a quite specific form:
It is in general a good idea to await the automated test ("Checks") in this Pull Request before contributing the patches, e.g. to avoid trivial issues such as unportable code. Contributing the patchesBefore you can contribute the patches, your GitHub username needs to be added to the list of permitted users. Any already-permitted user can do that, by adding a comment to your PR of the form Both the person who commented An alternative is the channel Once on the list of permitted usernames, you can contribute the patches to the Git mailing list by adding a PR comment If you want to see what email(s) would be sent for a After you submit, GitGitGadget will respond with another comment that contains the link to the cover letter mail in the Git mailing list archive. Please make sure to monitor the discussion in that thread and to address comments and suggestions (while the comments and suggestions will be mirrored into the PR by GitGitGadget, you will still want to reply via mail). If you do not want to subscribe to the Git mailing list just to be able to respond to a mail, you can download the mbox from the Git mailing list archive (click the curl -g --user "<EMailAddress>:<Password>" \
--url "imaps://imap.gmail.com/INBOX" -T /path/to/raw.txtTo iterate on your change, i.e. send a revised patch or patch series, you will first want to (force-)push to the same branch. You probably also want to modify your Pull Request description (or title). It is a good idea to summarize the revision by adding something like this to the cover letter (read: by editing the first comment on the PR, i.e. the PR description): To send a new iteration, just add another PR comment with the contents: Need help?New contributors who want advice are encouraged to join git-mentoring@googlegroups.com, where volunteers who regularly contribute to Git are willing to answer newbie questions, give advice, or otherwise provide mentoring to interested contributors. You must join in order to post or view messages, but anyone can join. You may also be able to find help in real time in the developer IRC channel, |
|
Errors and warnings found by git-po-helper in workflow #9394: |
|
Thanks for the review. The git-po-helper warning about author vs committer email mismatch — I'll fix the commit authorship so both author and committer use the same email. The l10n workflow fix itself (moving |
|
There are issues in commit 66bca60:
|
1 similar comment
|
There are issues in commit 66bca60:
|
|
There are issues in commit c261aa1:
|
|
@XananasX7 you're supposed to squash the fixups before submitting the patch. Also, you will want to avoid being ignored due to a commit message that is vastly different from existing ones. I suggest getting inspired by https://github.blog/2022-06-30-write-better-commits-build-better-projects/ to improve it, in particular with a strong focus on this part:
|
The "Setup base and head objects" step interpolates four GitHub
context values directly into the shell script body:
base=${{ github.event.pull_request.base.sha }}
head=${{ github.event.pull_request.head.sha }}
base=${{ github.event.before }}
head=${{ github.event.after }}
GitHub's security hardening guide[1] warns that interpolating context
values directly into `run:` steps creates an expression-injection
vector: if a value ever contains shell metacharacters, an attacker
can alter the behaviour of the step. The sha fields used here are
controlled by GitHub itself and are currently safe, but the pattern
is still flagged by zizmor and OSSF Scorecard, and locking it down
now prevents surprises if the trigger conditions or context sources
ever change.
Move the four values into an `env:` block on the same step:
env:
BASE_PR: ${{ github.event.pull_request.base.sha }}
HEAD_PR: ${{ github.event.pull_request.head.sha }}
BASE_PUSH: ${{ github.event.before }}
HEAD_PUSH: ${{ github.event.after }}
The shell script then reads the pre-expanded environment variables
($BASE_PR, $HEAD_PR, $BASE_PUSH, $HEAD_PUSH) instead of raw context
expressions, which is safe regardless of the value's content.
[1]: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
c261aa1 to
7b63b4c
Compare
|
Thanks for the detailed feedback @dscho — addressed everything:
The change itself is the same: the four context values ( |
|
/allow |
|
User XananasX7 is now allowed to use GitGitGadget. WARNING: XananasX7 has no public email address set on GitHub; GitGitGadget needs an email address to Cc: you on your contribution, so that you receive any feedback on the Git mailing list. Go to https://github.com/settings/profile to make your preferred email public to let GitGitGadget know which email address to use. |
The
l10n.ymlworkflow injects GitHub Actions expressions directly into shellrunsteps:While these values happen to be hex SHAs, the pattern is flagged by security scanners (zizmor, actionlint) and violates GitHub's security hardening best practices.
Fix: move expressions into env vars and reference env vars in the shell script.
Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections