Skip to content

Commit

Permalink
chore(deps): update tj-actions/changed-files action to v41 [security] (
Browse files Browse the repository at this point in the history
…#2433)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[tj-actions/changed-files](https://togithub.com/tj-actions/changed-files)
| action | major | `v40` -> `v41` |

### GitHub Vulnerability Alerts

####
[CVE-2023-51664](https://togithub.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63)

### Summary
The `tj-actions/changed-files` workflow allows for command injection in
changed filenames, allowing an attacker to execute arbitrary code and
potentially leak secrets.

### Details
The [`changed-files`](https://togithub.com/tj-actions/changed-files)
action returns a list of files changed in a commit or pull request which
provides an `escape_json` input [enabled by
default](https://togithub.com/tj-actions/changed-files/blob/94549999469dbfa032becf298d95c87a14c34394/action.yml#L136),
only escapes `"` for JSON values.

This could potentially allow filenames that contain special characters
such as `;` and \` (backtick) which can be used by an attacker to take
over the [GitHub
Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners)
if the output value is used in a raw fashion (thus being directly
replaced before execution) inside a `run` block. By running custom
commands an attacker may be able to steal **secrets** such as
`GITHUB_TOKEN` if triggered on other events than `pull_request`. For
example on `push`.

#### Proof of Concept

1. Submit a pull request to a repository with a new file injecting a
command. For example `$(whoami).txt` which is a valid filename.
2. Upon approval of the workflow (triggered by the pull request), the
action will get executed and the malicious pull request filename will
flow into the `List all changed files` step below.

```yaml
      - name: List all changed files
        run: |
          for file in $; do
            echo "$file was changed"
          done
```

Example output:

```yaml

##[group]Run for file in $(whoami).txt; do
    for file in $(whoami).txt; do
        echo "$file was changed"
    done
shell: /usr/bin/bash -e {0}

##[endgroup]
runner.txt was changed
```

### Impact

This issue may lead to arbitrary command execution in the GitHub Runner.

### Resolution
- A new `safe_output` input would be enabled by default and return
filename paths escaping special characters like ;, ` (backtick), $, (),
etc for bash environments.

- A safe recommendation of using environment variables to store unsafe
outputs.

```yaml
- name: List all changed files
  env:
    ALL_CHANGED_FILES: $
  run: |
    for file in "$ALL_CHANGED_FILES"; do
      echo "$file was changed"
    done
```

### Resources

* [Keeping your GitHub Actions and workflows secure Part 2: Untrusted
input](https://securitylab.github.com/research/github-actions-untrusted-input/)
* [Keeping your GitHub Actions and workflows secure Part 1: Preventing
pwn
requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

---

### Release Notes

<details>
<summary>tj-actions/changed-files (tj-actions/changed-files)</summary>

###
[`v41`](https://togithub.com/tj-actions/changed-files/releases/tag/v41)

[Compare
Source](https://togithub.com/tj-actions/changed-files/compare/v40...v41)

##### Changes in v41.0.1

##### What's Changed

- Upgraded to v41 by
[@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1811](https://togithub.com/tj-actions/changed-files/pull/1811)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.2 by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1813](https://togithub.com/tj-actions/changed-files/pull/1813)
- fix: update characters escaped by safe output by
[@&#8203;jackton1](https://togithub.com/jackton1) in
[https://github.com/tj-actions/changed-files/pull/1815](https://togithub.com/tj-actions/changed-files/pull/1815)

**Full Changelog**:
tj-actions/changed-files@v41...v41.0.1

***

##### Changes in v41.0.0

##### 🔥 🔥 BREAKING CHANGE 🔥 🔥

A new `safe_output` input is now available to prevent outputting unsafe
filename characters (Enabled by default). This would escape characters
in the filename that could be used for command injection.

> \[!NOTE]
> This can be disabled by setting the `safe_output` to false this comes
with a recommendation to store all outputs generated in an environment
variable first before using them.

##### Example

```yaml
...
    - name: Get changed files
      id: changed-files
      uses: tj-actions/changed-files@v40
      with:
        safe_output: false # set to false because we are using an environment variable to store the output and avoid command injection.

    - name: List all added files
      env:
        ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
      run: |
        for file in "$ADDED_FILES"; do
          echo "$file was added"
        done
...
```

##### What's Changed

- chore(deps): update typescript-eslint monorepo to v6.15.0 by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1801](https://togithub.com/tj-actions/changed-files/pull/1801)
- Upgraded to v40.2.3 by
[@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1800](https://togithub.com/tj-actions/changed-files/pull/1800)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.0 by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1802](https://togithub.com/tj-actions/changed-files/pull/1802)
- chore(deps): lock file maintenance by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1803](https://togithub.com/tj-actions/changed-files/pull/1803)
- chore(deps): update dependency eslint-plugin-prettier to v5.1.1 by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1804](https://togithub.com/tj-actions/changed-files/pull/1804)
- fix: update safe output regex and the docs by
[@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1805](https://togithub.com/tj-actions/changed-files/pull/1805)
- Revert "chore(deps): update actions/download-artifact action to v4" by
[@&#8203;jackton1](https://togithub.com/jackton1) in
[https://github.com/tj-actions/changed-files/pull/1806](https://togithub.com/tj-actions/changed-files/pull/1806)
- Update README.md by [@&#8203;jackton1](https://togithub.com/jackton1)
in
[https://github.com/tj-actions/changed-files/pull/1808](https://togithub.com/tj-actions/changed-files/pull/1808)
- chore(deps): lock file maintenance by
[@&#8203;renovate](https://togithub.com/renovate) in
[https://github.com/tj-actions/changed-files/pull/1809](https://togithub.com/tj-actions/changed-files/pull/1809)
- Updated README.md by
[@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in
[https://github.com/tj-actions/changed-files/pull/1810](https://togithub.com/tj-actions/changed-files/pull/1810)

**Full Changelog**:
tj-actions/changed-files@v40...v41.0.0

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/swisspost/design-system).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Jan 3, 2024
1 parent aab1d75 commit 9446bc1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/fetch-icons.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ jobs:
- name: Get Changes
id: changed-files
uses: tj-actions/changed-files@v40
uses: tj-actions/changed-files@v41
with:
files: ./packages/icons/public/post-icons/**

Expand Down

0 comments on commit 9446bc1

Please sign in to comment.