Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: github workflow vulnerable to script injection #2600

Merged
merged 5 commits into from
Aug 20, 2024

Conversation

diogoteles08
Copy link
Contributor

Hi! I'm Diogo from Google's Open Source Security Team(GOSST) and I'm dropping by to suggest this small change that will enhance the security of your repository by preventing script injection attacks through your GitHub workflows.

In the piece of code I changed, you were directly using the value of a variable that comes from a user's input, so a malicious user could exploit that input and use it to run arbitrary code. By using an intermediate environment variable, the value of the expression is stored in memory, used as a variable and doesn't interact with the script generation process. This mitigates the script injection risks and also keeps your workflow running exactly as before.

You can find more information about this on this github documentation or in this gitguardian blogpost.

Cheers!

@diogoteles08 diogoteles08 requested review from a team as code owners August 12, 2024 16:03
@diogoteles08 diogoteles08 requested a review from leahecole August 12, 2024 16:03
@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: bigquerystorage Issues related to the googleapis/java-bigquerystorage API. labels Aug 12, 2024
@PhongChuong
Copy link
Contributor

@diogoteles08 , lgtm but can you take a look also. There might be other instances elsewhere where this might be useful.

@diegomarquezp
Copy link
Contributor

diegomarquezp commented Aug 16, 2024

cc: @JoeWang1127 @blakeli0

@diegomarquezp
Copy link
Contributor

@PhongChuong we have this script in other hw repos.

@JoeWang1127
Copy link
Contributor

I did a similar change in google-cloud-java: googleapis/google-cloud-java#10881

@diogoteles08
Copy link
Contributor Author

@diogoteles08 , lgtm but can you take a look also. There might be other instances elsewhere where this might be useful.

Hi! I did realize this very same workflow was used in other repositories of this org. I grouped some and pointed them in this comment: googleapis/java-storage#2663 (comment)

@PhongChuong
Copy link
Contributor

/gcbrun

@PhongChuong PhongChuong added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Aug 19, 2024
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Aug 19, 2024
@PhongChuong PhongChuong added kokoro:force-run Add this label to force Kokoro to re-run the tests. kokoro:run Add this label to force Kokoro to re-run the tests. labels Aug 19, 2024
@yoshi-kokoro yoshi-kokoro removed kokoro:run Add this label to force Kokoro to re-run the tests. kokoro:force-run Add this label to force Kokoro to re-run the tests. labels Aug 19, 2024
@product-auto-label product-auto-label bot added size: s Pull request size is small. and removed size: xs Pull request size is extra small. labels Aug 19, 2024
@diegomarquezp
Copy link
Contributor

@diogoteles08 just testing a few commits to confirm if we can also inline an env var in the if statement in this yaml.

@diegomarquezp diegomarquezp added the automerge Merge the pull request once unit tests and other checks pass. label Aug 19, 2024
@diegomarquezp
Copy link
Contributor

/gcbrun

@diegomarquezp diegomarquezp merged commit 9ce25b6 into googleapis:main Aug 20, 2024
19 checks passed
@gcf-merge-on-green gcf-merge-on-green bot removed the automerge Merge the pull request once unit tests and other checks pass. label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: bigquerystorage Issues related to the googleapis/java-bigquerystorage API. size: s Pull request size is small.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants