Closed renovate[bot] closed 5 months ago
Aviator will automatically update this comment as the status of the PR changes. Comment
/aviator refresh
to force Aviator to re-examine your PR (or learn about other/aviator
commands).
This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.
Unable to locate .performanceTestingBot config file
In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.
Hi there! :wave: Thanks for opening a PR. It looks like you've already reached the 5 review limit on our Basic Plan for the week. If you still want a review, feel free to upgrade your subscription in the Web App and then reopen the PR
View changes in DiffLens
This PR has 2
quantified lines of changes. In general, a change size of upto 200
lines is ideal for the best PR experience!
Was this comment helpful? :thumbsup: :ok_hand: :thumbsdown: (Email) Customize PullRequestQuantifier for this repository.
Thanks for opening this Pull Request! We need you to:
Fill out the description.
Action: Edit description and replace <!- ... -->
with actual values.
Complete the activities.
Action: Complete If you want to rebase/retry this PR, check this box
If an activity is not applicable, use '\~activity description\~' to mark it not applicable.
[!IMPORTANT]
Auto Review Skipped
Bot user detected.
To trigger a single review, invoke the
@coderabbitai review
command.
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?
This PR contains the following updates:
v40
->v41
GitHub Vulnerability Alerts
CVE-2023-51664
Summary
The
tj-actions/changed-files
workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.Details
The
changed-files
action returns a list of files changed in a commit or pull request which provides anescape_json
input enabled by default, only escapes"
for JSON values.This could potentially allow filenames that contain special characters such as
;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside arun
block. By running custom commands an attacker may be able to steal secrets such asGITHUB_TOKEN
if triggered on other events thanpull_request
. For example onpush
.Proof of Concept
$(whoami).txt
which is a valid filename.List all changed files
step below.Example output:
Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
A new
safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.A safe recommendation of using environment variables to store unsafe outputs.
Resources
Release Notes
tj-actions/changed-files (tj-actions/changed-files)
### [`v41`](https://togithub.com/tj-actions/changed-files/releases/tag/v41) [Compare Source](https://togithub.com/tj-actions/changed-files/compare/v40...v41) ##### Changes in v41.1.2 ##### What's Changed - Upgraded to v41.1.1 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1854](https://togithub.com/tj-actions/changed-files/pull/1854) - chore(deps): update dependency prettier to v3.2.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1855](https://togithub.com/tj-actions/changed-files/pull/1855) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1856](https://togithub.com/tj-actions/changed-files/pull/1856) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1857](https://togithub.com/tj-actions/changed-files/pull/1857) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1858](https://togithub.com/tj-actions/changed-files/pull/1858) - chore(deps): update typescript-eslint monorepo to v6.19.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1860](https://togithub.com/tj-actions/changed-files/pull/1860) - feat: enhance error handling and working directory resolution by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1859](https://togithub.com/tj-actions/changed-files/pull/1859) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1862](https://togithub.com/tj-actions/changed-files/pull/1862) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.4 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1863](https://togithub.com/tj-actions/changed-files/pull/1863) - chore(deps): update tj-actions/eslint-changed-files action to v22 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1864](https://togithub.com/tj-actions/changed-files/pull/1864) - chore(deps): update dependency prettier to v3.2.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1867](https://togithub.com/tj-actions/changed-files/pull/1867) - fix: bug with incorrect action path by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1866](https://togithub.com/tj-actions/changed-files/pull/1866) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.5 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1868](https://togithub.com/tj-actions/changed-files/pull/1868) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v41...v41.1.2 *** ##### Changes in v41.1.1 ##### What's Changed - Upgraded to v41.1.0 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1852](https://togithub.com/tj-actions/changed-files/pull/1852) - fix: bug with inaccurate warnings by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1853](https://togithub.com/tj-actions/changed-files/pull/1853) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v41...v41.1.1 *** ##### Changes in v41.1.0 ##### What's Changed - Upgraded to v41.0.1 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1816](https://togithub.com/tj-actions/changed-files/pull/1816) - chore: update matrix-test.yml by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1814](https://togithub.com/tj-actions/changed-files/pull/1814) - chore(deps): update typescript-eslint monorepo to v6.16.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1819](https://togithub.com/tj-actions/changed-files/pull/1819) - chore(deps): update tj-actions/verify-changed-files action to v17 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1820](https://togithub.com/tj-actions/changed-files/pull/1820) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.10.6 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1821](https://togithub.com/tj-actions/changed-files/pull/1821) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1822](https://togithub.com/tj-actions/changed-files/pull/1822) - chore(deps): update typescript-eslint monorepo to v6.17.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1823](https://togithub.com/tj-actions/changed-files/pull/1823) - chore(deps): update dependency eslint-plugin-jest to v27.6.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1824](https://togithub.com/tj-actions/changed-files/pull/1824) - chore(deps): update typescript-eslint monorepo to v6.18.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1827](https://togithub.com/tj-actions/changed-files/pull/1827) - chore: create workflow-run-test.yml by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1828](https://togithub.com/tj-actions/changed-files/pull/1828) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1830](https://togithub.com/tj-actions/changed-files/pull/1830) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.10.7 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1831](https://togithub.com/tj-actions/changed-files/pull/1831) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1833](https://togithub.com/tj-actions/changed-files/pull/1833) - chore: update jest.config.js by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1834](https://togithub.com/tj-actions/changed-files/pull/1834) - chore(deps): update typescript-eslint monorepo to v6.18.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1835](https://togithub.com/tj-actions/changed-files/pull/1835) - chore(deps-dev): bump [@types/node](https://togithub.com/types/node) from 20.10.7 to 20.10.8 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/tj-actions/changed-files/pull/1836](https://togithub.com/tj-actions/changed-files/pull/1836) - chore(deps): update dependency eslint-plugin-prettier to v5.1.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1837](https://togithub.com/tj-actions/changed-files/pull/1837) - chore(deps): update dependency eslint-plugin-jest to v27.6.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1838](https://togithub.com/tj-actions/changed-files/pull/1838) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v20.11.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1839](https://togithub.com/tj-actions/changed-files/pull/1839) - chore(deps): update dependency prettier to v3.2.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1844](https://togithub.com/tj-actions/changed-files/pull/1844) - chore: update warning message by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1845](https://togithub.com/tj-actions/changed-files/pull/1845) - chore: create multi-job-test.yml by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1843](https://togithub.com/tj-actions/changed-files/pull/1843) - chore(deps): update dependency eslint-plugin-jest to v27.6.3 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1846](https://togithub.com/tj-actions/changed-files/pull/1846) - chore(deps): update dependency prettier to v3.2.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1847](https://togithub.com/tj-actions/changed-files/pull/1847) - chore: update top level workflow permissions by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1848](https://togithub.com/tj-actions/changed-files/pull/1848) - feat: add support for forcing the use of GitHub’s REST API by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1849](https://togithub.com/tj-actions/changed-files/pull/1849) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1850](https://togithub.com/tj-actions/changed-files/pull/1850) - fix: permission with release workflow by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1851](https://togithub.com/tj-actions/changed-files/pull/1851) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v41...v41.1.0 *** ##### Changes in v41.0.1 ##### What's Changed - Upgraded to v41 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1811](https://togithub.com/tj-actions/changed-files/pull/1811) - chore(deps): update dependency eslint-plugin-prettier to v5.1.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1813](https://togithub.com/tj-actions/changed-files/pull/1813) - fix: update characters escaped by safe output by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1815](https://togithub.com/tj-actions/changed-files/pull/1815) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v41...v41.0.1 *** ##### Changes in v41.0.0 ##### 🔥 🔥 BREAKING CHANGE 🔥 🔥 A new `safe_output` input is now available to prevent outputting unsafe filename characters (Enabled by default). This would escape characters in the filename that could be used for command injection. > \[!NOTE] > This can be disabled by setting the `safe_output` to false this comes with a recommendation to store all outputs generated in an environment variable first before using them. ##### Example ```yaml ... - name: Get changed files id: changed-files uses: tj-actions/changed-files@v40 with: safe_output: false # set to false because we are using an environment variable to store the output and avoid command injection. - name: List all added files env: ADDED_FILES: ${{ steps.changed-files.outputs.added_files }} run: | for file in "$ADDED_FILES"; do echo "$file was added" done ... ``` ##### What's Changed - chore(deps): update typescript-eslint monorepo to v6.15.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1801](https://togithub.com/tj-actions/changed-files/pull/1801) - Upgraded to v40.2.3 by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1800](https://togithub.com/tj-actions/changed-files/pull/1800) - chore(deps): update dependency eslint-plugin-prettier to v5.1.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1802](https://togithub.com/tj-actions/changed-files/pull/1802) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1803](https://togithub.com/tj-actions/changed-files/pull/1803) - chore(deps): update dependency eslint-plugin-prettier to v5.1.1 by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1804](https://togithub.com/tj-actions/changed-files/pull/1804) - fix: update safe output regex and the docs by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1805](https://togithub.com/tj-actions/changed-files/pull/1805) - Revert "chore(deps): update actions/download-artifact action to v4" by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1806](https://togithub.com/tj-actions/changed-files/pull/1806) - Update README.md by [@jackton1](https://togithub.com/jackton1) in [https://github.com/tj-actions/changed-files/pull/1808](https://togithub.com/tj-actions/changed-files/pull/1808) - chore(deps): lock file maintenance by [@renovate](https://togithub.com/renovate) in [https://github.com/tj-actions/changed-files/pull/1809](https://togithub.com/tj-actions/changed-files/pull/1809) - Updated README.md by [@tj-actions-bot](https://togithub.com/tj-actions-bot) in [https://github.com/tj-actions/changed-files/pull/1810](https://togithub.com/tj-actions/changed-files/pull/1810) **Full Changelog**: https://github.com/tj-actions/changed-files/compare/v40...v41.0.0 ***Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.