mirror of
https://github.com/actions/checkout.git
synced 2026-07-15 19:24:48 +03:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4afa37ac8d | |||
| aa3faa9f29 | |||
| f9e715a95f |
@@ -155,50 +155,4 @@ describe('input-helper tests', () => {
|
||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||
expect(settings.workflowOrganizationId).toBe(123456)
|
||||
})
|
||||
|
||||
describe('unsafe PR checkout guard', () => {
|
||||
const forkPayload = {
|
||||
repository: {id: 100},
|
||||
pull_request: {
|
||||
head: {
|
||||
sha: '1234567890123456789012345678901234567890',
|
||||
repo: {id: 200, full_name: 'attacker/fork'}
|
||||
},
|
||||
merge_commit_sha: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
|
||||
}
|
||||
}
|
||||
|
||||
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
||||
const originalEvent = github.context.eventName
|
||||
const originalPayload = github.context.payload
|
||||
try {
|
||||
github.context.eventName = 'pull_request_target'
|
||||
github.context.payload = forkPayload as any
|
||||
// Simulate a rebase/fast-forward merge where the base tip (event SHA)
|
||||
// equals the PR head SHA. The default self-checkout must still succeed.
|
||||
github.context.sha = '1234567890123456789012345678901234567890'
|
||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
||||
} finally {
|
||||
github.context.eventName = originalEvent
|
||||
github.context.payload = originalPayload
|
||||
}
|
||||
})
|
||||
|
||||
it('refuses an explicit fork repository on pull_request_target', async () => {
|
||||
const originalEvent = github.context.eventName
|
||||
const originalPayload = github.context.payload
|
||||
try {
|
||||
github.context.eventName = 'pull_request_target'
|
||||
github.context.payload = forkPayload as any
|
||||
inputs.repository = 'attacker/fork'
|
||||
await expect(inputHelper.getInputs()).rejects.toThrow(
|
||||
/Refusing to check out fork pull request code/
|
||||
)
|
||||
} finally {
|
||||
github.context.eventName = originalEvent
|
||||
github.context.payload = originalPayload
|
||||
}
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
Vendored
+9
-16
@@ -2150,19 +2150,12 @@ function getInputs() {
|
||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||
'TRUE';
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||
// The default self-checkout (this repository with no explicit ref) always
|
||||
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||
// the fork-checkout guard only needs to run when the caller customized the
|
||||
// repository or ref.
|
||||
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref');
|
||||
if (!isDefaultCheckout) {
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
});
|
||||
}
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
});
|
||||
return result;
|
||||
});
|
||||
}
|
||||
@@ -2840,9 +2833,9 @@ function assertSafePrCheckout(input) {
|
||||
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
|
||||
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
|
||||
`on the actions/checkout step.`);
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
|
||||
}
|
||||
function pushIfSha(target, value) {
|
||||
if (typeof value === 'string' && value.length > 0) {
|
||||
|
||||
Generated
+5
-4
@@ -14,6 +14,7 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@actions/io": "^1.1.3",
|
||||
"@actions/tool-cache": "^2.0.1",
|
||||
"flatted": "^3.4.2",
|
||||
"uuid": "^9.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -3590,10 +3591,10 @@
|
||||
}
|
||||
},
|
||||
"node_modules/flatted": {
|
||||
"version": "3.3.1",
|
||||
"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
|
||||
"integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
|
||||
"dev": true
|
||||
"version": "3.4.2",
|
||||
"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
|
||||
"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
|
||||
"license": "ISC"
|
||||
},
|
||||
"node_modules/for-each": {
|
||||
"version": "0.3.3",
|
||||
|
||||
@@ -33,6 +33,7 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@actions/io": "^1.1.3",
|
||||
"@actions/tool-cache": "^2.0.1",
|
||||
"flatted": "^3.4.2",
|
||||
"uuid": "^9.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
+6
-13
@@ -168,19 +168,12 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
'TRUE'
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||
|
||||
// The default self-checkout (this repository with no explicit ref) always
|
||||
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||
// the fork-checkout guard only needs to run when the caller customized the
|
||||
// repository or ref.
|
||||
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref')
|
||||
if (!isDefaultCheckout) {
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
})
|
||||
}
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
})
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
@@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
|
||||
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
|
||||
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
|
||||
`on the actions/checkout step.`
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user