Closed renovate[bot] closed 5 months ago
Aviator will automatically update this comment as the status of the PR changes. Comment
/aviator refresh
to force Aviator to re-examine your PR (or learn about other/aviator
commands).
This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.
Unable to locate .performanceTestingBot config file
In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
View changes in DiffLens
This PR has 2
quantified lines of changes. In general, a change size of upto 200
lines is ideal for the best PR experience!
Was this comment helpful? :thumbsup: :ok_hand: :thumbsdown: (Email) Customize PullRequestQuantifier for this repository.
Hi there! :wave: Thanks for opening a PR. It looks like you've already reached the 5 review limit on our Basic Plan for the week. If you still want a review, feel free to upgrade your subscription in the Web App and then reopen the PR
Thanks for opening this Pull Request! We need you to:
Fill out the description.
Action: Edit description and replace <!- ... -->
with actual values.
Complete the activities.
Action: Complete If you want to rebase/retry this PR, check this box
If an activity is not applicable, use '\~activity description\~' to mark it not applicable.
[!IMPORTANT]
Auto Review Skipped
Bot user detected.
To trigger a single review, invoke the
@coderabbitai review
command.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
This PR contains the following updates:
v37
->v38
GitHub Vulnerability Alerts
CVE-2023-51664
Summary
The
tj-actions/changed-files
workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.Details
The
changed-files
action returns a list of files changed in a commit or pull request which provides anescape_json
input enabled by default, only escapes"
for JSON values.This could potentially allow filenames that contain special characters such as
;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside arun
block. By running custom commands an attacker may be able to steal secrets such asGITHUB_TOKEN
if triggered on other events thanpull_request
. For example onpush
.Proof of Concept
$(whoami).txt
which is a valid filename.List all changed files
step below.Example output:
Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
A new
safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.A safe recommendation of using environment variables to store unsafe outputs.
Resources
Release Notes
tj-actions/changed-files (tj-actions/changed-files)
### [`v38`](https://togithub.com/tj-actions/changed-files/releases/tag/v38) [Compare Source](https://togithub.com/tj-actions/changed-files/compare/v37...v38) ##### Changes in v38.2.2 ##### What's Changed - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1522](https://togithub.com/tj-actions/changed-files/pull/1522) - Upgraded to v38.2.1 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1523](https://togithub.com/tj-actions/changed-files/pull/1523) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.5.8 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1524](https://togithub.com/tj-actions/changed-files/pull/1524) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.5.9 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1525](https://togithub.com/tj-actions/changed-files/pull/1525) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1526](https://togithub.com/tj-actions/changed-files/pull/1526) - chore(deps): update actions/checkout action to v4 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1527](https://togithub.com/tj-actions/changed-files/pull/1527) - chore(deps): update typescript-eslint monorepo to v6.6.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1530](https://togithub.com/tj-actions/changed-files/pull/1530) - fix: bug with outputs when json is set to true by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1531](https://togithub.com/tj-actions/changed-files/pull/1531) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1532](https://togithub.com/tj-actions/changed-files/pull/1532) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.2.2 *** ##### Changes in v38.2.1 ##### What's Changed - Upgraded to v38.2.0 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1515](https://togithub.com/tj-actions/changed-files/pull/1515) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1516](https://togithub.com/tj-actions/changed-files/pull/1516) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1519](https://togithub.com/tj-actions/changed-files/pull/1519) - chore(deps): bump test/demo from `8bbc726` to `5dfac2e` by [@dependabot](https://togithub.com/dependabot) in [https://github.com/tj-actions/changed-files/pull/1518](https://togithub.com/tj-actions/changed-files/pull/1518) - fix: bug matching patterns by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1520](https://togithub.com/tj-actions/changed-files/pull/1520) - chore: update warning message by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1521](https://togithub.com/tj-actions/changed-files/pull/1521) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.2.1 *** ##### Changes in v38.2.0 ##### π π New Feature π π - Boolean Input `fail_on_initial_diff_error` now supports exiting with an error when the initial diff fails. - Boolean Input `fail_on_submodule_diff_error` now supports exiting with an error when the submodule diff fails. ##### What's Changed - Upgraded to v38.1.3 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1503](https://togithub.com/tj-actions/changed-files/pull/1503) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1504](https://togithub.com/tj-actions/changed-files/pull/1504) - fix(deps): update dependency yaml to v2.3.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1505](https://togithub.com/tj-actions/changed-files/pull/1505) - chore(deps): update typescript-eslint monorepo to v6.5.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1506](https://togithub.com/tj-actions/changed-files/pull/1506) - chore(deps): update dependency eslint-plugin-github to v4.10.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1507](https://togithub.com/tj-actions/changed-files/pull/1507) - chore(deps): update dependency prettier to v3.0.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1508](https://togithub.com/tj-actions/changed-files/pull/1508) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1510](https://togithub.com/tj-actions/changed-files/pull/1510) - feat: add support for failing on error by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1511](https://togithub.com/tj-actions/changed-files/pull/1511) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1513](https://togithub.com/tj-actions/changed-files/pull/1513) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1514](https://togithub.com/tj-actions/changed-files/pull/1514) - chore(deps): update dependency [@types/uuid](https://togithub.com/types/uuid) to v9.0.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1512](https://togithub.com/tj-actions/changed-files/pull/1512) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.2.0 *** ##### Changes in v38.1.3 ##### What's Changed - chore(deps): update tj-actions/release-tagger action to v4 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1502](https://togithub.com/tj-actions/changed-files/pull/1502) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38.1.2...v38.1.3 *** ##### Changes in v38.1.2 ##### What's Changed - chore(deps): update dependency eslint to v8.48.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1494](https://togithub.com/tj-actions/changed-files/pull/1494) - Upgraded to v38.1.1 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1495](https://togithub.com/tj-actions/changed-files/pull/1495) - chore: update warning message by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1497](https://togithub.com/tj-actions/changed-files/pull/1497) - chore: update submodule by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1498](https://togithub.com/tj-actions/changed-files/pull/1498) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1499](https://togithub.com/tj-actions/changed-files/pull/1499) - chore: update warning message by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1500](https://togithub.com/tj-actions/changed-files/pull/1500) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.1.2 *** ##### Changes in v38.1.1 ##### What's Changed - Upgraded to v38.1.0 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1482](https://togithub.com/tj-actions/changed-files/pull/1482) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1483](https://togithub.com/tj-actions/changed-files/pull/1483) - chore(deps): update tj-actions/auto-doc action to v3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1484](https://togithub.com/tj-actions/changed-files/pull/1484) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1485](https://togithub.com/tj-actions/changed-files/pull/1485) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1486](https://togithub.com/tj-actions/changed-files/pull/1486) - chore(deps): update dependency jest to v29.6.4 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1488](https://togithub.com/tj-actions/changed-files/pull/1488) - chore(deps): update dependency typescript to v5.2.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1489](https://togithub.com/tj-actions/changed-files/pull/1489) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.5.6 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1490](https://togithub.com/tj-actions/changed-files/pull/1490) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1491](https://togithub.com/tj-actions/changed-files/pull/1491) - chore(deps): bump test/demo from `f0065d7` to `8bbc726` by [@dependabot](https://togithub.com/dependabot) in [https://github.com/tj-actions/changed-files/pull/1492](https://togithub.com/tj-actions/changed-files/pull/1492) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1493](https://togithub.com/tj-actions/changed-files/pull/1493) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.1.1 *** ##### Changes in v38.1.0 ##### π π New Feature π π - Input `fetch_additional_submodule_history` now supports fetching additional history for submodules. ##### What's Changed - Upgraded to v38 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1474](https://togithub.com/tj-actions/changed-files/pull/1474) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1475](https://togithub.com/tj-actions/changed-files/pull/1475) - feat: add support for fetching additional history for submodules by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1476](https://togithub.com/tj-actions/changed-files/pull/1476) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1477](https://togithub.com/tj-actions/changed-files/pull/1477) - chore: move submodule update to dependabot and remove unused workflow by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1478](https://togithub.com/tj-actions/changed-files/pull/1478) - chore(deps-dev): bump [@types/node](https://togithub.com/types/node) from 20.5.3 to 20.5.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/tj-actions/changed-files/pull/1480](https://togithub.com/tj-actions/changed-files/pull/1480) - chore(deps): bump test/demo from `e168fac` to `f0065d7` by [@dependabot](https://togithub.com/dependabot) in [https://github.com/tj-actions/changed-files/pull/1481](https://togithub.com/tj-actions/changed-files/pull/1481) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v38...v38.1.0 *** ##### Changes in v38.0.0 ##### π π New Feature π π - Inputs `dir_names_include_files` and `dir_names_include_files_separator` now support providing patterns that can be matched to return changed files alongside the directory names when the `dir_names` input is set to `true` ##### π₯ π₯ Breaking Changes π₯ π₯ - Output paths for Windows now use a double backslash path separator. e.g `src\\main.ts` ##### What's Changed - Upgraded to v37.6.1 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1458](https://togithub.com/tj-actions/changed-files/pull/1458) - chore(deps): update actions/setup-node action to v3.8.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1459](https://togithub.com/tj-actions/changed-files/pull/1459) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.5.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1460](https://togithub.com/tj-actions/changed-files/pull/1460) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1461](https://togithub.com/tj-actions/changed-files/pull/1461) - chore(deps): update dependency jest to v29.6.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1462](https://togithub.com/tj-actions/changed-files/pull/1462) - chore(deps): update typescript-eslint monorepo to v6.4.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1463](https://togithub.com/tj-actions/changed-files/pull/1463) - chore: update .eslintrc.json by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1465](https://togithub.com/tj-actions/changed-files/pull/1465) - feat: add support for including matching changed files when dir_names is set to true by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1464](https://togithub.com/tj-actions/changed-files/pull/1464) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1466](https://togithub.com/tj-actions/changed-files/pull/1466) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.5.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1467](https://togithub.com/tj-actions/changed-files/pull/1467) - fix: bug with locating the previous tag by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1470](https://togithub.com/tj-actions/changed-files/pull/1470) - chore(deps): update dependency [@types/jest](https://togithub.com/types/jest) to v29.5.4 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1472](https://togithub.com/tj-actions/changed-files/pull/1472) - chore: update test by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1469](https://togithub.com/tj-actions/changed-files/pull/1469) - fix: error getting diff for submodules by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1473](https://togithub.com/tj-actions/changed-files/pull/1473) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v37...v38.0.0 ***Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.