Skip to content

Commit

Permalink
security update:remove branch name injection
Browse files Browse the repository at this point in the history
Branch names are external user generated, therefore, they constitute a vulnerability point (altought very niche). For this reason it's better to limit user generated input in shell scripts like the one in our file, when using clever-tools. Instead of using env.BRANCH_NAME in our script, we'll use github.event.number, which is the number of the PR on the repo.
  • Loading branch information
juliamrch committed Jan 31, 2024
1 parent 3ea5153 commit 8a2c0b6
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 11 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ For better security, we advise generating a specific `CLEVER_SECRET` and `CLEVER
4. Log into the Console with your new user credetials
5. Get the generated `CLEVER_SECRET` and `CLEVER_TOKEN` and inject it into your repository secrets

Repeat steps 1-3 and connect from your main account to set your personal tokens. Your GitHub Acction user's tokens won't be revoked and will be used only from GitHub.
Run `clever login` again and connect from your main account to set your personal tokens. Your GitHub Acction user's tokens won't be revoked and will be used only from GitHub.

## Inject App Secrets

Expand Down
18 changes: 8 additions & 10 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,7 @@ on:

# Inject these secrets in your GitHub repository.
# List more secrets if needed, for example: HUGO_VERSION: ${{ secrets.HUGO_VERSION }}
env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}


jobs:
deploy:
Expand Down Expand Up @@ -50,16 +49,15 @@ jobs:
# Use "clever create" to deploy your app.
# Replace <type>, <app-name> and <region>
run: |
clever create --type <type> <app-name>-${{ env.BRANCH_NAME }} --alias <app-name>-${{ env.BRANCH_NAME }} --region <region> --org "$ORGA_ID"
clever create --type <type> <app-name>-PR-${{ github.event.number }} --alias <app-name>-PR-${{ github.event.number }} --region <region> --org "$ORGA_ID"
# Set environment variable with "clever env set".
# For example: clever env set CC_WEBROOT "/public"
# Inject your secrets as well, for ex:
#clever env set HUGO_VERSION ${{env.HUGO_VERSION}}
clever env set <VARIABLE_NAME> "<variable_value>"
clever domain add clever-doc-review-${{ env.BRANCH_NAME }}.cleverapps.io
# Set review app domain with "clever domain add".
# Replace <app-name>
clever domain add <app-name>-${{ env.BRANCH_NAME }}.cleverapps.io
clever domain add <app-name>-PR-${{ github.event.number }}.cleverapps.io
clever deploy
# Post your domain in PR's discussion
# Replace <app-name>
Expand All @@ -68,7 +66,7 @@ jobs:
with:
script: |
const issue_number = context.payload.pull_request.number;
const message = `Deployment has finished 👁️👄👁️ Your app is available [here](https://<app-name>-${process.env.BRANCH_NAME}.cleverapps.io)`;
const message = `Deployment has finished 👁️👄👁️ Your app is available [here](https://<app-name>-PR-${{ github.event.number }}.cleverapps.io)`;
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
Expand Down Expand Up @@ -103,15 +101,15 @@ jobs:
ORGA_ID: ${{ secrets.ORGA_ID }}
# Replace <app-name>
run: |
clever link -o "$ORGA_ID" <app-name>-${{ env.BRANCH_NAME }}
clever link -o "$ORGA_ID" <app-name>-PR-${{ github.event.number }}
clever deploy
- name: Comment PR
uses: actions/github-script@v5
with:
# Replace <app-name>
script: |
const issue_number = context.payload.pull_request.number;
const message = `🚀 Your app has been updated and is available [here](https://<app-name>-${process.env.BRANCH_NAME}.cleverapps.io)`;
const message = `🚀 Your app has been updated and is available [here](https://<app-name>-PR-${{ github.event.number }}.cleverapps.io)`;
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
Expand All @@ -134,8 +132,8 @@ jobs:
- name: Delete app
# Replace <app-name>
run: |
clever link -o "$ORGA_ID" <app-name>-${{ env.BRANCH_NAME }}
clever delete --alias <app-name>-${{ env.BRANCH_NAME }} --yes
clever link -o "$ORGA_ID" <app-name>-PR-${{ github.event.number }}
clever delete --alias <app-name>-PR-${{ github.event.number }} --yes
- name: Comment PR
uses: actions/github-script@v5
with:
Expand Down

0 comments on commit 8a2c0b6

Please sign in to comment.