Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use apiURL to determine whether to use the token #1615

Closed

Conversation

lcartey
Copy link

@lcartey lcartey commented Mar 28, 2023

The action includes this check to determine whether to include the token in the request:

  } else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
    logger.debug("Providing an authorization token to download CodeQL tools.");
    authorization = `token ${apiDetails.auth}`;
  }

The intention is to only include the token if we are fetching from the same instance, to avoid leaking tokens.

However, the codeqlURL in this check will refer to the API url to use to download the release. For example:

https://api.github.com/repos/myrepo/codeql-action/releases/assets/

However, the apiDetails.url refers to the instance URL, e.g. https://github.com, which means the check will always fail. We therefore need to use the apiDetails.apiURL to get the appropriate comparison.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

The codeqlURL in this check will refer to the API url to use to download
the release. For example:

https://api.github.com/repos/myrepo/codeql-action/releases/assets/<id>

However, the apiDetails.url refers to the instance URL, e.g.
https://github.com. We therefore need to use the apiDetails.apiURL to
get the appropriate comparison.
@lcartey lcartey requested a review from a team as a code owner March 28, 2023 11:08
Copy link
Contributor

@henrymercer henrymercer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable, but I think we want to preserve the old behaviour.

@@ -608,7 +608,7 @@ export async function downloadCodeQL(
let authorization: string | undefined = undefined;
if (searchParams.has("token")) {
logger.debug("CodeQL tools URL contains an authorization token.");
} else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
} else if (codeqlURL.startsWith(`${apiDetails.apiURL}/`)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a user provides a tools URL explicitly like tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-20230317/codeql-bundle-linux64.tar.gz, I think we'll want to authenticate this too. Therefore I think we might want to loosen this to codeqlURL.startsWith(`${apiDetails.url}/`) || codeqlURL.startsWith(`${apiDetails.apiURL}/`).

@henrymercer
Copy link
Contributor

Closing in favor of #1945.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants