From 8ece5e490764c458050b04f3be699e1eb5c18d60 Mon Sep 17 00:00:00 2001 From: rhysd Date: Sat, 4 Sep 2021 21:52:01 +0900 Subject: [PATCH] link to the new official security document instead of securitylab blog post from: https://securitylab.github.com/research/github-actions-untrusted-input to: https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions --- README.md | 2 +- docs/checks.md | 7 ++++--- expr_insecure.go | 5 +++-- scripts/generate-actionlint-matcher/test/escape.txt | 2 +- scripts/generate-actionlint-matcher/test/no_escape.txt | 2 +- scripts/generate-actionlint-matcher/test/want.json | 2 +- testdata/err/github_script_untrusted_input.out | 2 +- testdata/err/nested_untrusted_input.out | 6 +++--- testdata/err/one_error.out | 2 +- testdata/examples/main.out | 2 +- testdata/examples/untrusted_input.out | 4 ++-- 11 files changed, 19 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 2824f8d93..e0345659d 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ test.yaml:10:28: label "linux-latest" is unknown. available labels are "windows- | 10 | os: [macos-latest, linux-latest] | ^~~~~~~~~~~~~ -test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] | 13 | - run: echo "Checking commit '${{ github.event.head_commit.message }}'" | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/checks.md b/docs/checks.md index 240f0d905..da28d2f57 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -880,11 +880,11 @@ jobs: Output: ``` -test.yaml:10:24: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:10:24: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] | 10 | run: echo '${{ github.event.pull_request.title }}' | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -test.yaml:19:36: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:19:36: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] | 19 | script: console.log('${{ github.event.head_commit.author.name }}') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -901,7 +901,7 @@ inline scripts at `run:`. For example, if we have step as follows, an attacker can create a new issue with title `'; malicious_command ...`, and the inline script will run `echo 'issue'; malicious_command ...` in your workflow. The remediation of such script injection is passing potentially untrusted -inputs via environment variables. +inputs via environment variables. See [the official document][security-doc] for more details. ```yaml - run: echo "issue ${TITLE}" @@ -1742,3 +1742,4 @@ actionlint checks permission scopes and access levels in a workflow are correct. [generate-popular-actions]: https://github.com/rhysd/actionlint/tree/main/scripts/generate-popular-actions [issue-25]: https://github.com/rhysd/actionlint/issues/25 [issue-40]: https://github.com/rhysd/actionlint/issues/40 +[security-doc]: https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions diff --git a/expr_insecure.go b/expr_insecure.go index ff6042c47..cb24578da 100644 --- a/expr_insecure.go +++ b/expr_insecure.go @@ -28,7 +28,8 @@ func (m UntrustedInputMap) findElemChild() (UntrustedInputMap, bool) { // BuiltinUntrustedInputs is list of untrusted inputs. These inputs are detected as untrusted in // `run:` scripts. See the URL for more details. -// https://securitylab.github.com/research/github-actions-untrusted-input/ +// - https://securitylab.github.com/research/github-actions-untrusted-input/ +// - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions var BuiltinUntrustedInputs = UntrustedInputMap{ "github": { "event": { @@ -178,7 +179,7 @@ func (u *UntrustedInputChecker) error(n ExprNode) { var b strings.Builder b.WriteByte('"') v := buildPathOfObjectDereference(&b, n) - b.WriteString(`" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details`) + b.WriteString(`" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details`) err := errorAtExpr(v, b.String()) u.errs = append(u.errs, err) u.done() diff --git a/scripts/generate-actionlint-matcher/test/escape.txt b/scripts/generate-actionlint-matcher/test/escape.txt index 7a4ff4c5b..109411a80 100644 --- a/scripts/generate-actionlint-matcher/test/escape.txt +++ b/scripts/generate-actionlint-matcher/test/escape.txt @@ -1,4 +1,4 @@ -./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression]  | 6 |  - run: echo "Checking commit '${{ github.event.head_commit.message }}'"  |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/scripts/generate-actionlint-matcher/test/no_escape.txt b/scripts/generate-actionlint-matcher/test/no_escape.txt index 6d19d546c..f71996b16 100644 --- a/scripts/generate-actionlint-matcher/test/no_escape.txt +++ b/scripts/generate-actionlint-matcher/test/no_escape.txt @@ -1,4 +1,4 @@ -./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +./testdata/err/one_error.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] | 6 | - run: echo "Checking commit '${{ github.event.head_commit.message }}'" | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/scripts/generate-actionlint-matcher/test/want.json b/scripts/generate-actionlint-matcher/test/want.json index 4581d65f7..65068b00c 100644 --- a/scripts/generate-actionlint-matcher/test/want.json +++ b/scripts/generate-actionlint-matcher/test/want.json @@ -1 +1 @@ -[{"message":"\"github.event.head_commit.message\" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details","filepath":"./testdata/err/one_error.yaml","line":6,"column":41,"kind":"expression","snippet":" - run: echo \"Checking commit '${{ github.event.head_commit.message }}'\"\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}] +[{"message":"\"github.event.head_commit.message\" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details","filepath":"./testdata/err/one_error.yaml","line":6,"column":41,"kind":"expression","snippet":" - run: echo \"Checking commit '${{ github.event.head_commit.message }}'\"\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}] diff --git a/testdata/err/github_script_untrusted_input.out b/testdata/err/github_script_untrusted_input.out index 947680f3b..34b591f82 100644 --- a/testdata/err/github_script_untrusted_input.out +++ b/testdata/err/github_script_untrusted_input.out @@ -1 +1 @@ -test.yaml:11:162: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:11:162: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] diff --git a/testdata/err/nested_untrusted_input.out b/testdata/err/nested_untrusted_input.out index 550086d01..7f5d82571 100644 --- a/testdata/err/nested_untrusted_input.out +++ b/testdata/err/nested_untrusted_input.out @@ -1,3 +1,3 @@ -test.yaml:7:23: "github.event.pages.*.page_name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] -test.yaml:7:42: "github.event.commits.*.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] -test.yaml:7:63: "github.event.issue.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:7:23: "github.event.pages.*.page_name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] +test.yaml:7:42: "github.event.commits.*.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] +test.yaml:7:63: "github.event.issue.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] diff --git a/testdata/err/one_error.out b/testdata/err/one_error.out index 09104938f..6519951b3 100644 --- a/testdata/err/one_error.out +++ b/testdata/err/one_error.out @@ -1 +1 @@ -test.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:6:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] diff --git a/testdata/examples/main.out b/testdata/examples/main.out index a8f9d51c5..06207d496 100644 --- a/testdata/examples/main.out +++ b/testdata/examples/main.out @@ -1,7 +1,7 @@ test.yaml:3:5: unexpected key "branch" for "push" section. expected one of "branches", "branches-ignore", "paths", "paths-ignore", "tags", "tags-ignore", "types", "workflows" [syntax-check] test.yaml:5:11: character '\' is invalid for branch and tag names. only special characters [, ?, +, *, \ ! can be escaped with \. see `man git-check-ref-format` for more details. note that regular expression is unavailable. note: filter pattern syntax is explained at https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet [glob] test.yaml:10:28: label "linux-latest" is unknown. available labels are "windows-latest", "windows-2019", "windows-2016", "ubuntu-latest", "ubuntu-20.04", "ubuntu-18.04", "ubuntu-16.04", "macos-latest", "macos-11", "macos-11.0", "macos-10.15", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label] -test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] test.yaml:17:11: input "node_version" is not defined in action "actions/setup-node@v2". available inputs are "always-auth", "architecture", "cache", "cache-dependency-path", "check-latest", "node-version", "registry-url", "scope", "token", "version" [action] test.yaml:21:20: property "platform" is not defined in object type {os: string} [expression] test.yaml:22:17: receiver of object dereference "permissions" must be type of object but got "string" [expression] diff --git a/testdata/examples/untrusted_input.out b/testdata/examples/untrusted_input.out index 5b359ebc8..dc30c06b0 100644 --- a/testdata/examples/untrusted_input.out +++ b/testdata/examples/untrusted_input.out @@ -1,2 +1,2 @@ -test.yaml:10:24: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] -test.yaml:19:36: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://securitylab.github.com/research/github-actions-untrusted-input for more details [expression] +test.yaml:10:24: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression] +test.yaml:19:36: "github.event.head_commit.author.name" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression]