From 9446bc111d6cc1c3adee2a8a5829a12ecb1b3cf6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 09:02:54 +0100 Subject: [PATCH] chore(deps): update tj-actions/changed-files action to v41 [security] (#2433) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tj-actions/changed-files](https://togithub.com/tj-actions/changed-files) | action | major | `v40` -> `v41` | ### GitHub Vulnerability Alerts #### [CVE-2023-51664](https://togithub.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63) ### Summary The `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. ### Details The [`changed-files`](https://togithub.com/tj-actions/changed-files) action returns a list of files changed in a commit or pull request which provides an `escape_json` input [enabled by default](https://togithub.com/tj-actions/changed-files/blob/94549999469dbfa032becf298d95c87a14c34394/action.yml#L136), only escapes `"` for JSON values. This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`. #### Proof of Concept 1. Submit a pull request to a repository with a new file injecting a command. For example `$(whoami).txt` which is a valid filename. 2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the `List all changed files` step below. ```yaml - name: List all changed files run: | for file in $; do echo "$file was changed" done ``` Example output: ```yaml ##[group]Run for file in $(whoami).txt; do for file in $(whoami).txt; do echo "$file was changed" done shell: /usr/bin/bash -e {0} ##[endgroup] runner.txt was changed ``` ### Impact This issue may lead to arbitrary command execution in the GitHub Runner. ### Resolution - A new `safe_output` input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments. - A safe recommendation of using environment variables to store unsafe outputs. ```yaml - name: List all changed files env: ALL_CHANGED_FILES: $ run: | for file in "$ALL_CHANGED_FILES"; do echo "$file was changed" done ``` ### Resources * [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/) * [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) --- ### Release Notes
tj-actions/changed-files (tj-actions/changed-files) ### [`v41`](https://togithub.com/tj-actions/changed-files/releases/tag/v41) [Compare Source](https://togithub.com/tj-actions/changed-files/compare/v40...v41) ##### Changes in v41.0.1 ##### What's Changed - Upgraded to v41 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1811](https://togithub.com/tj-actions/changed-files/pull/1811) - chore(deps): update dependency eslint-plugin-prettier to v5.1.2 by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1813](https://togithub.com/tj-actions/changed-files/pull/1813) - fix: update characters escaped by safe output by [@​jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1815](https://togithub.com/tj-actions/changed-files/pull/1815) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v41...v41.0.1 *** ##### Changes in v41.0.0 ##### 🔥 🔥 BREAKING CHANGE 🔥 🔥 A new `safe_output` input is now available to prevent outputting unsafe filename characters (Enabled by default). This would escape characters in the filename that could be used for command injection. > \[!NOTE] > This can be disabled by setting the `safe_output` to false this comes with a recommendation to store all outputs generated in an environment variable first before using them. ##### Example ```yaml ... - name: Get changed files id: changed-files uses: tj-actions/changed-files@v40 with: safe_output: false # set to false because we are using an environment variable to store the output and avoid command injection. - name: List all added files env: ADDED_FILES: ${{ steps.changed-files.outputs.added_files }} run: | for file in "$ADDED_FILES"; do echo "$file was added" done ... ``` ##### What's Changed - chore(deps): update typescript-eslint monorepo to v6.15.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1801](https://togithub.com/tj-actions/changed-files/pull/1801) - Upgraded to v40.2.3 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1800](https://togithub.com/tj-actions/changed-files/pull/1800) - chore(deps): update dependency eslint-plugin-prettier to v5.1.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1802](https://togithub.com/tj-actions/changed-files/pull/1802) - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1803](https://togithub.com/tj-actions/changed-files/pull/1803) - chore(deps): update dependency eslint-plugin-prettier to v5.1.1 by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1804](https://togithub.com/tj-actions/changed-files/pull/1804) - fix: update safe output regex and the docs by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1805](https://togithub.com/tj-actions/changed-files/pull/1805) - Revert "chore(deps): update actions/download-artifact action to v4" by [@​jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1806](https://togithub.com/tj-actions/changed-files/pull/1806) - Update README.md by [@​jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1808](https://togithub.com/tj-actions/changed-files/pull/1808) - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1809](https://togithub.com/tj-actions/changed-files/pull/1809) - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1810](https://togithub.com/tj-actions/changed-files/pull/1810) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v40...v41.0.0 ***
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/swisspost/design-system). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/fetch-icons.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fetch-icons.yaml b/.github/workflows/fetch-icons.yaml index 861be9ec50..a682bf6a99 100644 --- a/.github/workflows/fetch-icons.yaml +++ b/.github/workflows/fetch-icons.yaml @@ -69,7 +69,7 @@ jobs: - name: Get Changes id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: ./packages/icons/public/post-icons/**