-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new script injection input #332
base: main
Are you sure you want to change the base?
Conversation
Unfortunately this PR is not acceptable straight forward because
But it's good point that accessing |
Sorry for the valid tests that I removed. The problem I want to fix with this PR is the use of this expression in run scripts The solution is not to ban We could change the |
I propose a new solution for matching all element like in env I'm using Sorry for all the commits I was confused with my branches and my local repo. |
I think banning |
Hi @rhysd any update on this PR ? I've opened an issue with more details as you asked :) |
78e9286
to
0b49da7
Compare
…he possibility to add wildcard in dangerous expressions
Hi @rhysd , I've reverted the
However, I've kept the possibility to add wildcard entry to this var envUntrustedInput = actionlint.NewUntrustedInputMap("env",
actionlint.NewUntrustedInputMap("**"),
)
...
untrustedInputSearchRoots := actionlint.BuiltinUntrustedInputs
untrustedInputSearchRoots.AddRoot(envUntrustedInput) This way it doesn't impact actionlint but offer the possibility to catch other untrusted inputs. In my context I can catch this:
I hope this suits you better. All the tests are OK so this should be better for you :) Don't hesitate if you have any remarks ! |
Hi @rhysd any comment since my last update ? Do you need additional information or something to help you with this PR ? |
05e056b
to
5aaa4ce
Compare
I've added a new entry in BuiltinUntrustedInputs because I already saw something like this where It's possible to inject code in the runner from an opened issue:
I changed a lot of tests to make it work I hope it will be ok.