CoinGecko-Kotlin
CoinGecko-Kotlin copied to clipboard
Published
20 hours ago •
DrewCarlson
DrewCarlson
Update tj-actions/changed-files action to v40 [SECURITY]
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| tj-actions/changed-files | action | major | v39 -> v40 |
GitHub Vulnerability Alerts
CVE-2023-51664
Summary
The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
Details
The changed-files action returns a list of files changed in a commit or pull request which provides an escape_json input enabled by default, only escapes " for JSON values.
This could potentially allow filenames that contain special characters such as ; and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request. For example on push.
Proof of Concept
- Submit a pull request to a repository with a new file injecting a command. For example
$(whoami).txtwhich is a valid filename. - Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the
List all changed filesstep below.
- name: List all changed files
run: |
for file in $; do
echo "$file was changed"
done
Example output:
##[group]Run for file in $(whoami).txt; do
for file in $(whoami).txt; do
echo "$file was changed"
done
shell: /usr/bin/bash -e {0}
##[endgroup]
runner.txt was changed
Impact
This issue may lead to arbitrary command execution in the GitHub Runner.
Resolution
-
A new
safe_outputinput would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments. -
A safe recommendation of using environment variables to store unsafe outputs.
- name: List all changed files
env:
ALL_CHANGED_FILES: $
run: |
for file in "$ALL_CHANGED_FILES"; do
echo "$file was changed"
done
Resources
- Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
- Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Release Notes
tj-actions/changed-files (tj-actions/changed-files)
v40
Changes in v40.2.3
What's Changed
- Upgraded to v40.2.2 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1787
- chore(deps): update dependency prettier to v3.1.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1788
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1789
- chore(deps): update typescript-eslint monorepo to v6.14.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1790
- chore(deps): update github/codeql-action action to v3 by @renovate in https://github.com/tj-actions/changed-files/pull/1792
- chore(deps): update actions/download-artifact action to v4 by @renovate in https://github.com/tj-actions/changed-files/pull/1793
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1795
- chore(deps): update dependency eslint to v8.56.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1796
- chore(deps): update dependency @types/node to v20.10.5 by @renovate in https://github.com/tj-actions/changed-files/pull/1797
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1798
- chore(deps): update actions/setup-node action to v4.0.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1799
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.2.3
Changes in v40.2.2
What's Changed
- Upgraded to v40.2.1 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1771
- chore(deps): update typescript-eslint monorepo to v6.13.2 by @renovate in https://github.com/tj-actions/changed-files/pull/1772
- chore: Create SECURITY.md by @jackton1 in https://github.com/tj-actions/changed-files/pull/1773
- chore: Update package.json by @jackton1 in https://github.com/tj-actions/changed-files/pull/1774
- chore(deps-dev): bump @types/jest from 29.5.10 to 29.5.11 by @dependabot in https://github.com/tj-actions/changed-files/pull/1775
- chore(deps): update dependency typescript to v5.3.3 by @renovate in https://github.com/tj-actions/changed-files/pull/1777
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1778
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1779
- chore(deps): update dependency @types/node to v20.10.4 by @renovate in https://github.com/tj-actions/changed-files/pull/1781
- chore(deps): bump tj-actions/branch-names from 7 to 8 by @dependabot in https://github.com/tj-actions/changed-files/pull/1782
- docs: add rodrigorfk as a contributor for code, test, and bug by @allcontributors in https://github.com/tj-actions/changed-files/pull/1785
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1786
- fix: bug recovering deleted files for submodules by @jackton1 in https://github.com/tj-actions/changed-files/pull/1784
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.2.2
Changes in v40.2.1
What's Changed
- Upgraded to v40.2.0 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1746
- chore: update README.md by @jackton1 in https://github.com/tj-actions/changed-files/pull/1749
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1750
- chore(deps): update typescript-eslint monorepo to v6.13.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1751
- chore(deps): update typescript-eslint monorepo to v6.13.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1753
- chore: remove unused job by @jackton1 in https://github.com/tj-actions/changed-files/pull/1754
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1755
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1757
- security: remove usage of pull_request_target event from test.yml by @jackton1 in https://github.com/tj-actions/changed-files/pull/1758
- chore(deps): update dependency @types/node to v20.10.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1761
- test: verify bug writing outputs when files_yaml is used by @jackton1 in https://github.com/tj-actions/changed-files/pull/1762
- security: Update test.yml removing pull_request_review event by @jackton1 in https://github.com/tj-actions/changed-files/pull/1763
- chore(deps): update dependency @types/node to v20.10.2 by @renovate in https://github.com/tj-actions/changed-files/pull/1764
- chore(deps): update dependency eslint to v8.55.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1765
- chore(deps): update dependency eslint-config-prettier to v9.1.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1766
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1767
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1769
- chore(deps): update dependency @types/node to v20.10.3 by @renovate in https://github.com/tj-actions/changed-files/pull/1768
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1770
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.2.1
Changes in v40.2.0
What's Changed
- Upgraded to v40.1.1 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1704
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1706
- chore(deps): update dependency prettier to v3.1.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1707
- chore(deps): update typescript-eslint monorepo to v6.11.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1708
- chore: Update update-readme.yml by @jackton1 in https://github.com/tj-actions/changed-files/pull/1709
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1710
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1711
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1712
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1713
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1714
- chore(deps): update dependency @types/node to v20.9.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1715
- chore(deps): update dependency eslint to v8.54.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1716
- chore(deps): update dependency @types/node to v20.9.2 by @renovate in https://github.com/tj-actions/changed-files/pull/1717
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1720
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1721
- chore: simplify matrix example workflow by @jackton1 in https://github.com/tj-actions/changed-files/pull/1719
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1722
- chore(deps): update typescript-eslint monorepo to v6.12.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1723
- chore(deps): update dependency typescript to v5.3.2 by @renovate in https://github.com/tj-actions/changed-files/pull/1724
- Bump @types/node from 20.9.2 to 20.9.3 by @dependabot in https://github.com/tj-actions/changed-files/pull/1725
- chore(deps): update dependency @types/jest to v29.5.9 by @renovate in https://github.com/tj-actions/changed-files/pull/1729
- chore(deps): update dependency @types/micromatch to v4.0.6 by @renovate in https://github.com/tj-actions/changed-files/pull/1731
- chore(deps): update dependency @types/lodash to v4.14.202 by @renovate in https://github.com/tj-actions/changed-files/pull/1730
- Bump @types/lodash from 4.14.201 to 4.14.202 by @dependabot in https://github.com/tj-actions/changed-files/pull/1728
- Bump @types/micromatch from 4.0.5 to 4.0.6 by @dependabot in https://github.com/tj-actions/changed-files/pull/1727
- Bump @types/jest from 29.5.8 to 29.5.9 by @dependabot in https://github.com/tj-actions/changed-files/pull/1726
- Bump @types/node from 20.9.3 to 20.9.4 by @dependabot in https://github.com/tj-actions/changed-files/pull/1732
- chore(deps): update dependency @types/jest to v29.5.10 by @renovate in https://github.com/tj-actions/changed-files/pull/1734
- chore(deps): update dependency @types/node to v20.9.5 by @renovate in https://github.com/tj-actions/changed-files/pull/1736
- chore(deps): update dependency @types/node to v20.10.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1737
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1743
- feat: add support for passing branch name to the base_sha and sha inputs by @jackton1 in https://github.com/tj-actions/changed-files/pull/1742
- fix: prevent similar commit hashes error when using the branch name by @jackton1 in https://github.com/tj-actions/changed-files/pull/1744
- fix: prevent similar commit hashes error when using the branch name by @jackton1 in https://github.com/tj-actions/changed-files/pull/1745
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.2.0
Changes in v40.1.1
What's Changed
- Upgraded to v40.1.0 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1695
- chore(deps): update dependency eslint to v8.53.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1696
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1697
- chore(deps): update typescript-eslint monorepo to v6.10.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1698
- chore(deps): update dependency @types/jest to v29.5.8 by @renovate in https://github.com/tj-actions/changed-files/pull/1699
- chore(deps): update dependency @types/uuid to v9.0.7 by @renovate in https://github.com/tj-actions/changed-files/pull/1702
- chore(deps): update dependency @types/micromatch to v4.0.5 by @renovate in https://github.com/tj-actions/changed-files/pull/1701
- chore(deps): update dependency @types/lodash to v4.14.201 by @renovate in https://github.com/tj-actions/changed-files/pull/1700
- chore(deps): update dependency @types/node to v20.9.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1703
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.1.1
Changes in v40.1.0
What's Changed
- Upgraded to v40.0.2 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1689
- fix(deps): update dependency yaml to v2.3.4 by @renovate in https://github.com/tj-actions/changed-files/pull/1691
- feat: add support for controlling the pattern order by @jackton1 in https://github.com/tj-actions/changed-files/pull/1693
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1694
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.1.0
Changes in v40.0.2
What's Changed
- Upgraded to v40.0.1 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1686
- chore(deps): update dependency @types/node to v20.8.10 by @renovate in https://github.com/tj-actions/changed-files/pull/1687
- fix: order of file patterns by @jackton1 in https://github.com/tj-actions/changed-files/pull/1688
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.0.2
Changes in v40.0.1
What's Changed
- Upgraded to v40 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1672
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1673
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1675
- chore(deps): update dependency eslint-plugin-jest to v27.5.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1674
- chore(deps): update dependency eslint-plugin-jest to v27.6.0 by @renovate in https://github.com/tj-actions/changed-files/pull/1676
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1677
- Updated README.md by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1678
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1680
- chore(deps): update dependency @typescript-eslint/parser to v6.9.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1682
- chore(deps): update dependency @typescript-eslint/eslint-plugin to v6.9.1 by @renovate in https://github.com/tj-actions/changed-files/pull/1683
- fix: bug with order in which the files and files ignore patterns are combined by @jackton1 in https://github.com/tj-actions/changed-files/pull/1684
- chore(deps): update dependency @types/jest to v29.5.7 by @renovate in https://github.com/tj-actions/changed-files/pull/1685
Full Changelog: https://github.com/tj-actions/changed-files/compare/v40...v40.0.1
Changes in v40.0.0
🔥 🔥 Breaking Change 🔥 🔥
- Directory patterns now require explicit specification of the globstar pattern to match all sub paths.
...
- name: Get specific changed files
id: changed-files-specific
uses: tj-actions/changed-files@v40
with:
files: |
- dir
+ dir/**
What's Changed
- Upgraded to v39.2.4 by @tj-actions-bot in https://github.com/tj-actions/changed-files/pull/1664
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1665
- Bump @types/node from 20.8.7 to 20.8.8 by @dependabot in https://github.com/tj-actions/changed-files/pull/1666
- chore(deps): update dependency @types/node to v20.8.9 by @renovate in https://github.com/tj-actions/changed-files/pull/1668
- remove: appending globstar pattern for directories to prevent bugs with path matching by @jackton1 in https://github.com/tj-actions/changed-files/pull/1670
- chore(deps): lock file maintenance by @renovate in https://github.com/tj-actions/changed-files/pull/1671
Full Changelog: https://github.com/tj-actions/changed-files/compare/v39...v40.0.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}