Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: prevent action bash escapes (#294)
# Description @robertprast in #285 and @random-dudde over at https://github.com/random-dudde/retina/pull/1 are poking at the [commit-message](https://github.com/microsoft/retina/blob/30a128b985bc99fc8686ef21afa1cc7358dc7dfd/.github/workflows/commit-message.yaml) Action trying to pull off a bash escape exploit. The bash escape actually exists, due to the direct usage of the PR title: ```bash commit_msg_header="${{ github.event.pull_request.title }}" ``` **However, this is not readily exploitable** because we require approval to run workflows on _all_ external contributions. A maintainer would need to approve the workflow, which makes it unlikely that any useful bash could be sneakily stuffed in to the title and executed. Even getting workflow approval with a benign title and then updating it later is correctly handled by GH and requires a new maintainer approval: ![image](https://github.com/microsoft/retina/assets/2940321/0fcee51d-1f72-48c3-a961-41ef31124b78) preventing a TOCTOU malicious title swap. With that all said...unlikely does not mean impossible, and even though it is not a zero-click attack, xz showed us that social engineering can be extremely effective. This change removes the bash escape by staging the user-input in an [intermediate environment variable](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable) at the Job level. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
- Loading branch information