chore(deps): update tj-actions/verify-changed-files action to v17 [security] #2301
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v16
->v17
GitHub Vulnerability Alerts
CVE-2023-52137
Summary
The
tj-actions/verify-changed-files
action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.Details
The
verify-changed-files
workflow returns the list of files changed within a workflow execution.This could potentially allow filenames that contain special characters such as
;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside arun
block. By running custom commands an attacker may be able to steal secrets such asGITHUB_TOKEN
if triggered on other events thanpull_request
. For example onpush
.Proof of Concept
$(whoami).txt
would be a valid filename.List all changed files tracked and untracked files
step.Example output:
Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
A new
safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.A safe recommendation of using environment variables to store unsafe outputs.
Resources
Release Notes
tj-actions/verify-changed-files (tj-actions/verify-changed-files)
v17
Compare Source
Changes in v17.0.0
🔥 🔥 BREAKING CHANGE 🔥 🔥
A new
safe_output
input is now available to prevent outputting unsafe filename characters (Enabled by default). This would escape characters in the filename that could be used for command injection.Example
What's Changed
Full Changelog: tj-actions/verify-changed-files@v16...v17.0.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.