-
Notifications
You must be signed in to change notification settings - Fork 20
Commit 9446bc1
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update tj-actions/changed-files action to v41 [security] (#2433)
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[tj-actions/changed-files](https://togithub.com/tj-actions/changed-files)
| action | major | `v40` -> `v41` |
### GitHub Vulnerability Alerts
####
[CVE-2023-51664](https://togithub.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63)
### Summary
The `tj-actions/changed-files` workflow allows for command injection in
changed filenames, allowing an attacker to execute arbitrary code and
potentially leak secrets.
### Details
The [`changed-files`](https://togithub.com/tj-actions/changed-files)
action returns a list of files changed in a commit or pull request which
provides an `escape_json` input [enabled by
default](https://togithub.com/tj-actions/changed-files/blob/94549999469dbfa032becf298d95c87a14c34394/action.yml#L136),
only escapes `"` for JSON values.
This could potentially allow filenames that contain special characters
such as `;` and \` (backtick) which can be used by an attacker to take
over the [GitHub
Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners)
if the output value is used in a raw fashion (thus being directly
replaced before execution) inside a `run` block. By running custom
commands an attacker may be able to steal **secrets** such as
`GITHUB_TOKEN` if triggered on other events than `pull_request`. For
example on `push`.
#### Proof of Concept
1. Submit a pull request to a repository with a new file injecting a
command. For example `$(whoami).txt` which is a valid filename.
2. Upon approval of the workflow (triggered by the pull request), the
action will get executed and the malicious pull request filename will
flow into the `List all changed files` step below.
```yaml
- name: List all changed files
run: |
for file in $; do
echo "$file was changed"
done
```
Example output:
```yaml
##[group]Run for file in $(whoami).txt; do
for file in $(whoami).txt; do
echo "$file was changed"
done
shell: /usr/bin/bash -e {0}
##[endgroup]
runner.txt was changed
```
### Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
### Resolution
- A new `safe_output` input would be enabled by default and return
filename paths escaping special characters like ;, ` (backtick), $, (),
etc for bash environments.
- A safe recommendation of using environment variables to store unsafe
outputs.
```yaml
- name: List all changed files
env:
ALL_CHANGED_FILES: $
run: |
for file in "$ALL_CHANGED_FILES"; do
echo "$file was changed"
done
```
### Resources
* [Keeping your GitHub Actions and workflows secure Part 2: Untrusted
input](https://securitylab.github.com/research/github-actions-untrusted-input/)
* [Keeping your GitHub Actions and workflows secure Part 1: Preventing
pwn
requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
---
### Release Notes
<details>
<summary>tj-actions/changed-files (tj-actions/changed-files)</summary>
###
[`v41`](https://togithub.com/tj-actions/changed-files/releases/tag/v41)
[Compare
Source](https://togithub.com/tj-actions/changed-files/compare/v40...v41)
##### Changes in v41.0.1
##### What's Changed
- Upgraded to v41 by
[@​tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1811](https://togithub.com/tj-actions/changed-files/pull/1811)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.2 by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1813](https://togithub.com/tj-actions/changed-files/pull/1813)
- fix: update characters escaped by safe output by
[@​jackton1](https://togithub.com/jackton1) in
[https://github.com/tj-actions/changed-files/pull/1815](https://togithub.com/tj-actions/changed-files/pull/1815)
**Full Changelog**:
tj-actions/changed-files@v41...v41.0.1
***
##### Changes in v41.0.0
##### 🔥 🔥 BREAKING CHANGE 🔥 🔥
A new `safe_output` input is now available to prevent outputting unsafe
filename characters (Enabled by default). This would escape characters
in the filename that could be used for command injection.
> \[!NOTE]
> This can be disabled by setting the `safe_output` to false this comes
with a recommendation to store all outputs generated in an environment
variable first before using them.
##### Example
```yaml
...
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v40
with:
safe_output: false # set to false because we are using an environment variable to store the output and avoid command injection.
- name: List all added files
env:
ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
run: |
for file in "$ADDED_FILES"; do
echo "$file was added"
done
...
```
##### What's Changed
- chore(deps): update typescript-eslint monorepo to v6.15.0 by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1801](https://togithub.com/tj-actions/changed-files/pull/1801)
- Upgraded to v40.2.3 by
[@​tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1800](https://togithub.com/tj-actions/changed-files/pull/1800)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.0 by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1802](https://togithub.com/tj-actions/changed-files/pull/1802)
- chore(deps): lock file maintenance by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1803](https://togithub.com/tj-actions/changed-files/pull/1803)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.1 by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1804](https://togithub.com/tj-actions/changed-files/pull/1804)
- fix: update safe output regex and the docs by
[@​tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1805](https://togithub.com/tj-actions/changed-files/pull/1805)
- Revert "chore(deps): update actions/download-artifact action to v4" by
[@​jackton1](https://togithub.com/jackton1) in
[https://github.com/tj-actions/changed-files/pull/1806](https://togithub.com/tj-actions/changed-files/pull/1806)
- Update README.md by [@​jackton1](https://togithub.com/jackton1)
in
[https://github.com/tj-actions/changed-files/pull/1808](https://togithub.com/tj-actions/changed-files/pull/1808)
- chore(deps): lock file maintenance by
[@​renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1809](https://togithub.com/tj-actions/changed-files/pull/1809)
- Updated README.md by
[@​tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1810](https://togithub.com/tj-actions/changed-files/pull/1810)
**Full Changelog**:
tj-actions/changed-files@v40...v41.0.0
***
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/swisspost/design-system).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>](https://renovatebot.com){kind=link}
1 parent aab1d75 commit 9446bc1Copy full SHA for 9446bc1
File tree
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedFilter options
- .github/workflows
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedCollapse file: .github/workflows/fetch-icons.yaml
.github/workflows/fetch-icons.yaml
Copy file name to clipboardExpand all lines: .github/workflows/fetch-icons.yaml+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
72 | | - | |
| 72 | + | |
73 | 73 | | |
74 | 74 | | |
75 | 75 | | |
| |||
0 commit comments