Merge pull request from GHSA-5j4v-pr82-qg68

* security: verify dates when checking PR data * security: verify workflow source when downloading data * security: add `pull_request_target` notice * security: verify dates when benchmarking * Update benchmark.yml * Fix update-documentation-snapshots * Fix date check Co-authored-by: RedYetiDev <38299977+RedYetiDev@users.noreply.github.com> * Fix date check in two more places --------- Co-authored-by: Frédéric Collonval <fcollonval@users.noreply.github.com> Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>
krassowski · Jul 8, 2024 · 16887de · 16887de
1 parent 8515c5e
commit 16887de
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 54 deletions.
diff --git a/.github/workflows/auto_author_assign.yml b/.github/workflows/auto_author_assign.yml
@@ -1,6 +1,11 @@
 # https://github.com/marketplace/actions/auto-author-assign
 name: 'Auto Author Assign'
 
+#####
+# This workflow is triggered by pull_request_target event.
+# Never checkout the PR and run ANY local code on it.
+#####
+
 on:
   pull_request_target:
     types: [opened, reopened]

diff --git a/.github/workflows/benchmark-report.yml b/.github/workflows/benchmark-report.yml
@@ -22,8 +22,8 @@ permissions:
 jobs:
   upload:
     runs-on: ubuntu-latest
-    # Carry action even on failure (happening if memory leak tests fail for example)
-    if: github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure'
+    # Only run on `issue_comment`, to prevent running on a malicious PR
+    if: github.event.workflow_run.event == 'issue_comment'
     steps:
       - name: 'Download artifact'
         uses: actions/github-script@v7

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -7,8 +7,12 @@ on:
 jobs:
   test:
     name: Execute benchmark tests
-    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'please run benchmarks') }}
-
+    if: >
+      (
+        github.event.issue.author_association == 'OWNER' ||
+        github.event.issue.author_association == 'COLLABORATOR' ||
+        github.event.issue.author_association == 'MEMBER'
+      ) && github.event.issue.pull_request && contains(github.event.comment.body, 'please run benchmarks')
     runs-on: ubuntu-22.04
 
     env:
@@ -21,42 +25,32 @@ jobs:
           # Need to fetch enough nodes to get the common ancestor - but don't want to fetch everything
           fetch-depth: 100
 
-      - name: Get hashes for schedule event
-        if: ${{ github.event_name == 'schedule' }}
-        run: |
-          echo "OLD_REF_SHA=$(git rev-parse 'main@{7 days ago}')" >> $GITHUB_ENV
-          echo "NEW_REF_SHA=$(git rev-parse 'main')" >> $GITHUB_ENV
-
-      - name: Get hashes for PR review event
-        if: ${{ github.event_name == 'pull_request_review' }}
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const child_process = require("child_process");
-            const pull_request = context.payload.pull_request;
-
-            child_process.exec(`git merge-base ${pull_request.head.sha} ${pull_request.base.sha}`, (error, stdout, stderr) => {
-              if (error) {
-                console.log(error);
-                process.exit(1);
-                return;
-              }
-              if (stderr) {
-                console.log(stderr);
-                process.exit(1);
-                return;
-              }
-
-              core.exportVariable('OLD_REF_SHA', stdout.trim());
-              core.exportVariable('NEW_REF_SHA', pull_request.head.sha);
-              core.exportVariable('PULL_REQUEST_ID', pull_request.number);
-            });
-
       - name: Base Setup
         uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 
       - uses: iterative/setup-cml@v3
 
+      - name: Get PR Info
+        id: pr
+        env:
+          PR_NUMBER: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          COMMENT_AT: ${{ github.event.comment.created_at }}
+        run: |
+          pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})"
+          head_sha="$(echo "$pr" | jq -r .head.sha)"
+          base_sha="$(echo "$pr" | jq -r .base.sha)"
+          root_sha="$(git merge-base '${head_sha}' '${base_sha}')"
+          updated_at="$(echo "$pr" | jq -r .updated_at)"
+
+          if [[ $(date -d "$updated_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+              exit 1
+          fi
+
+          echo "OLD_REF_SHA=$root_sha" >> $GITHUB_ENV
+          echo "NEW_REF_SHA=$head_sha" >> $GITHUB_ENV
+
       # First run the benchmark on the old reference
       - name: Checkout old reference
         run: |
@@ -198,7 +192,12 @@ jobs:
 
   memory-leak:
     name: Execute memory-leak tests
-    if: github.event_name == 'schedule' || (github.event_name == 'pull_request_review' && (github.event.review.state == 'approved' || contains(github.event.review.body, 'please run benchmark')))
+    if: >
+      (
+        github.event.issue.author_association == 'OWNER' ||
+        github.event.issue.author_association == 'COLLABORATOR' ||
+        github.event.issue.author_association == 'MEMBER'
+      ) && github.event.issue.pull_request && contains(github.event.comment.body, 'please run benchmarks')
 
     runs-on: ubuntu-22.04
     timeout-minutes: 30
@@ -207,15 +206,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Get hashes for PR review event
-        if: ${{ github.event_name == 'pull_request_review' }}
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const child_process = require("child_process");
-            const pull_request = context.payload.pull_request;
-            core.exportVariable('PULL_REQUEST_ID', pull_request.number);
-
       - name: Base Setup
         uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
 

diff --git a/.github/workflows/enforce-label.yml b/.github/workflows/enforce-label.yml
@@ -1,5 +1,10 @@
 name: Enforce PR label
 
+#####
+# This workflow is triggered by pull_request_target event.
+# Never checkout the PR and run ANY local code on it.
+#####
+
 on:
   pull_request_target:
     types: [labeled, unlabeled, opened, edited, synchronize]

diff --git a/.github/workflows/galata-update.yml b/.github/workflows/galata-update.yml
@@ -11,7 +11,15 @@ permissions:
 jobs:
   update-galata-snapshots:
     name: Update Galata References
-    if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, 'please update galata snapshots') || contains(github.event.comment.body, 'please update snapshots')) }}
+    if: >
+      (
+        github.event.issue.author_association == 'OWNER' ||
+        github.event.issue.author_association == 'COLLABORATOR' ||
+        github.event.issue.author_association == 'MEMBER'
+      ) && github.event.issue.pull_request && (
+        contains(github.event.comment.body, 'please update galata snapshots') ||
+        contains(github.event.comment.body, 'please update snapshots')
+      )
     timeout-minutes: 80
     runs-on: ubuntu-22.04
 
@@ -30,10 +38,29 @@ jobs:
       - name: Configure git to use https
         run: git config --global hub.protocol https
 
-      - name: Checkout the branch from the PR that triggered the job
-        run: gh pr checkout ${{ github.event.issue.number }}
+      - name: Get PR Info
+        id: pr
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          COMMENT_AT: ${{ github.event.comment.created_at }}
+        run: |
+          pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})"
+          head_sha="$(echo "$pr" | jq -r .head.sha)"
+          updated_at="$(echo "$pr" | jq -r .updated_at)"
+
+          if [[ $(date -d "$updated_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+              exit 1
+          fi
+
+          echo "head_sha=$head_sha" >> $GITHUB_OUTPUT
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.pr.outputs.head_sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Base Setup
         uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
@@ -61,7 +88,15 @@ jobs:
 
   update-documentation-snapshots:
     name: Update Documentation Snapshots
-    if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, 'please update documentation snapshots') || contains(github.event.comment.body, 'please update snapshots')) }}
+    if: >
+      (
+        github.event.issue.author_association == 'OWNER' ||
+        github.event.issue.author_association == 'COLLABORATOR' ||
+        github.event.issue.author_association == 'MEMBER'
+      ) && github.event.issue.pull_request && (
+        contains(github.event.comment.body, 'please update documentation snapshots') ||
+        contains(github.event.comment.body, 'please update snapshots')
+      )
     timeout-minutes: 80
     runs-on: ubuntu-22.04
 
@@ -98,11 +133,29 @@ jobs:
           echo "JUPYTERLAB_GALATA_ROOT_DIR=$PWD" >> $GITHUB_ENV
         working-directory: demo
 
-      - name: Checkout the branch from the PR that triggered the job
-        working-directory: core
-        run: gh pr checkout ${{ github.event.issue.number }}
+      - name: Get PR Info
+        id: pr
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          COMMENT_AT: ${{ github.event.comment.created_at }}
+        run: |
+          pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})"
+          head_sha="$(echo "$pr" | jq -r .head.sha)"
+          updated_at="$(echo "$pr" | jq -r .updated_at)"
+
+          if [[ $(date -d "$updated_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+              exit 1
+          fi
+
+          echo "head_sha=$head_sha" >> $GITHUB_OUTPUT
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.pr.outputs.head_sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Base Setup
         uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,5 +1,11 @@
 # https://github.com/marketplace/actions/labeler
 name: "Pull Request Labeler"
+
+#####
+# This workflow is triggered by pull_request_target event.
+# Never checkout the PR and run ANY local code on it.
+#####
+
 on:
 - pull_request_target
 

diff --git a/.github/workflows/license-header.yml b/.github/workflows/license-header.yml
@@ -20,6 +20,11 @@ jobs:
       - name: Configure git to use https
         run: git config --global hub.protocol https
 
+        #####
+        # This workflow is triggered by pull_request_target event.
+        # The following step will checkout the PR.
+        # DO NOT, UNDER ANY CIRCUMSTANCES, RUN ANY LOCAL CODE ON THE PR.
+        #####
       - name: Checkout the branch from the PR that triggered the job
         run: gh pr checkout ${{ github.event.pull_request.number }}
         env: