From a579245f4545b7abd84edc141b21f7242c6d2a82 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Thu, 1 Oct 2020 19:31:10 +0200 Subject: [PATCH] Fix CVE-2020-15228 Signed-off-by: CrazyMax --- dist/index.js | 103 ++++++++++++++++++++++++++++++++++++++++---------- package.json | 2 +- yarn.lock | 8 ++-- 3 files changed, 89 insertions(+), 24 deletions(-) diff --git a/dist/index.js b/dist/index.js index b2f0948..712a13e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1261,6 +1261,8 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(351); +const file_command_1 = __webpack_require__(717); +const utils_1 = __webpack_require__(278); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); /** @@ -1287,9 +1289,17 @@ var ExitCode; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - const convertedVal = command_1.toCommandValue(val); + const convertedVal = utils_1.toCommandValue(val); process.env[name] = convertedVal; - command_1.issueCommand('set-env', { name }, convertedVal); + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + const delimiter = '_GitHubActionsFileCommandDelimeter_'; + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); + } } exports.exportVariable = exportVariable; /** @@ -1305,7 +1315,13 @@ exports.setSecret = setSecret; * @param inputPath */ function addPath(inputPath) { - command_1.issueCommand('add-path', {}, inputPath); + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; } exports.addPath = addPath; @@ -1475,6 +1491,32 @@ const lt = (a, b, loose) => compare(a, b, loose) < 0 module.exports = lt +/***/ }), + +/***/ 278: +/***/ (function(__unusedmodule, exports) { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", { value: true }); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +//# sourceMappingURL=utils.js.map + /***/ }), /***/ 293: @@ -1568,6 +1610,7 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(278); /** * Commands * @@ -1621,28 +1664,14 @@ class Command { return cmdStr; } } -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; function escapeData(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A'); } function escapeProperty(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') @@ -2845,6 +2874,42 @@ const toComparators = (range, options) => module.exports = toComparators +/***/ }), + +/***/ 717: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +// For internal use, subject to change. +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__webpack_require__(747)); +const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(278); +function issueCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueCommand = issueCommand; +//# sourceMappingURL=file-command.js.map + /***/ }), /***/ 741: diff --git a/package.json b/package.json index 8a8fcb5..525aaef 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ ], "license": "MIT", "dependencies": { - "@actions/core": "^1.2.5", + "@actions/core": "^1.2.6", "@actions/exec": "^1.0.4", "@actions/io": "^1.0.2", "semver": "^7.3.2" diff --git a/yarn.lock b/yarn.lock index 7c3d86f..95e146f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2,10 +2,10 @@ # yarn lockfile v1 -"@actions/core@^1.2.5": - version "1.2.5" - resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.5.tgz#fa57bf8c07a38191e243beb9ea9d8368c1cb02c8" - integrity sha512-mwpoNjHSWWh0IiALdDEQi3tru124JKn0yVNziIBzTME8QRv7thwoghVuT1jBRjFvdtoHsqD58IRHy1nf86paRg== +"@actions/core@^1.2.6": + version "1.2.6" + resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.2.6.tgz#a78d49f41a4def18e88ce47c2cac615d5694bf09" + integrity sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA== "@actions/exec@^1.0.4": version "1.0.4"