Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid running malicious inputs as shell commands in the GitHub Actions #2397

Merged
merged 1 commit into from
May 13, 2024
Merged

Avoid running malicious inputs as shell commands in the GitHub Actions #2397

merged 1 commit into from
May 13, 2024

Conversation

eason9487
Copy link
Member

@eason9487 eason9487 commented May 10, 2024
edited
Loading

Changes proposed in this Pull Request:

This PR avoids running malicious inputs as shell commands in the GitHub Actions.

Although these input values are entered by devs who have access to this repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.

Detailed test instructions:

📌 E2E Tests workflow

  1. View the E2E Tests workflow run that was injected shell commands ls -la
    image
  2. View the E2E Tests workflow run that avoids the shell command injections
  3. Check if the "Install WP release candidate" and "Install WC release candidate" steps can work as before when entering valid versions

📌 PHP Unit Tests

  1. View the PHP Unit Tests workflow run that was injected shell commands ls -la and cat README.md
    image
  2. View the PHP Unit Tests workflow run that avoids the shell command injections
  3. Check if the "Install WP tests" step can work as before when entering valid versions

Changelog entry

@eason9487 eason9487 requested a review from a team May 10, 2024 08:11
@eason9487 eason9487 self-assigned this May 10, 2024
@github-actions github-actions bot added the changelog: dev Developer-facing only change. label May 10, 2024
@eason9487 eason9487 marked this pull request as draft May 10, 2024 08:25
@eason9487 eason9487 force-pushed the dev/avoid-gha-malicious-input branch from bde0d71 to ce707e1 Compare May 10, 2024 08:31
@eason9487 eason9487 marked this pull request as ready for review May 10, 2024 08:45
@eason9487 eason9487 mentioned this pull request May 10, 2024
Merged
4 tasks
martynmjones
martynmjones approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@martynmjones martynmjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @eason9487, thanks for adding extra protections for the input values!

Reviewed the changes and the example runs and all looks good ✅

@eason9487 eason9487 merged commit ad30181 into fix/e2e-setup-wp-env May 13, 2024
16 of 18 checks passed
@eason9487 eason9487 deleted the dev/avoid-gha-malicious-input branch May 13, 2024 02:14
@eason9487 eason9487 mentioned this pull request May 13, 2024
Merged
@eason9487 eason9487 restored the dev/avoid-gha-malicious-input branch May 13, 2024 09:43
eason9487 added a commit that referenced this pull request May 13, 2024
@eason9487
Revert "Merge pull request #2397 from woocommerce/dev/avoid-gha-malic…
7564eb8 
…ious-input"

This reverts commit ad30181, reversing
changes made to eb50e5d.

Ref: #2393 (comment)
@eason9487 eason9487 added changelog: none Skip changelog entry for this PR and removed changelog: dev Developer-facing only change. labels May 13, 2024
@eason9487 eason9487 mentioned this pull request May 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martynmjones martynmjones martynmjones approved these changes

Assignees

@eason9487 eason9487

Labels
changelog: none Skip changelog entry for this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eason9487 @martynmjones