-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update tj-actions/changed-files action to v41 [SECURITY] - autoclosed #161
Update tj-actions/changed-files action to v41 [SECURITY] - autoclosed #161
Conversation
Current Aviator status
This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
Unable to locate .performanceTestingBot config file |
Micro-Learning Topic: OS command injection (Detected by phrase)Matched on "command injection"In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server. Try a challenge in Secure Code WarriorHelpful references
|
Hi there! 👋 Thanks for opening a PR. It looks like you've already reached the 5 review limit on our Basic Plan for the week. If you still want a review, feel free to upgrade your subscription in the Web App and then reopen the PR |
View changes in DiffLens |
This PR has Quantification details
Why proper sizing of changes matters
Optimal pull request sizes drive a better predictable PR flow as they strike a
What can I do to optimize my changes
How to interpret the change counts in git diff output
Was this comment helpful? 👍 :ok_hand: :thumbsdown: (Email) |
Thanks for opening this Pull Request!
|
Important Auto Review SkippedBot user detected. To trigger a single review, invoke the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
This PR contains the following updates:
v40
->v41
GitHub Vulnerability Alerts
CVE-2023-51664
Summary
The
tj-actions/changed-files
workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.Details
The
changed-files
action returns a list of files changed in a commit or pull request which provides anescape_json
input enabled by default, only escapes"
for JSON values.This could potentially allow filenames that contain special characters such as
;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside arun
block. By running custom commands an attacker may be able to steal secrets such asGITHUB_TOKEN
if triggered on other events thanpull_request
. For example onpush
.Proof of Concept
$(whoami).txt
which is a valid filename.List all changed files
step below.Example output:
Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
A new
safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.A safe recommendation of using environment variables to store unsafe outputs.
Resources
Release Notes
tj-actions/changed-files (tj-actions/changed-files)
v41
Compare Source
Changes in v41.1.2
What's Changed
Full Changelog: tj-actions/changed-files@v41...v41.1.2
Changes in v41.1.1
What's Changed
Full Changelog: tj-actions/changed-files@v41...v41.1.1
Changes in v41.1.0
What's Changed
Full Changelog: tj-actions/changed-files@v41...v41.1.0
Changes in v41.0.1
What's Changed
Full Changelog: tj-actions/changed-files@v41...v41.0.1
Changes in v41.0.0
🔥 🔥 BREAKING CHANGE 🔥 🔥
A new
safe_output
input is now available to prevent outputting unsafe filename characters (Enabled by default). This would escape characters in the filename that could be used for command injection.Example
What's Changed
Full Changelog: tj-actions/changed-files@v40...v41.0.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.