simorgh icon indicating copy to clipboard operation
simorgh copied to clipboard

Published 20 hours ago verified publisher icon bbc

GitHub Workflows security hardening

Open sashashura opened this issue 1 year ago • 1 comments

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

sashashura avatar Aug 29 '22 12:08 sashashura

Is anything else needed?

sashashura avatar Sep 20 '22 07:09 sashashura

Is anything else needed?

hey @sashashura apologies for the delayed response, unfortunately the change appears to have broken the CI build causing two of our checks to fail. I think it's because a custom webpack plugin we have created outputs some code as part of the build: https://github.com/bbc/simorgh/blob/latest/webpack.config.js#L68, I imagine this might require some write permissions.

Indeed I imagine building the app itself might need this to write the app build output to the build directory.

Thanks for your contribution, if you wish to take it any further you might want to look into allowing some scoped write permissions 🙂

andrewscfc avatar Sep 28 '22 15:09 andrewscfc

Do you mean the lint step in https://github.com/bbc/simorgh/actions/runs/3099439609/jobs/5018581826? Could you please rerun the workflow? I think it is not related to my changes, because it was triggered on pull_request and it has contents read and metadata read only. So I couldn't break it.

sashashura avatar Sep 29 '22 09:09 sashashura

@andrewscfc Could you please try re-running it?

sashashura avatar Oct 13 '22 14:10 sashashura

I get the error even if I don't touch permissions at all. Only modified the if condition to skip Chromatic UI in my fork's default branch - that it, and got the same error. Any ideas why?

sashashura avatar Oct 13 '22 20:10 sashashura

I get the error even if I don't touch permissions at all. Only modified the if condition to skip Chromatic UI in my fork's default branch - that it, and got the same error. Any ideas why?

hey, I've replicated this issue on a fork from my own account: https://github.com/bbc/simorgh/pull/10360.

I started looking into it and I suspect it is caused by webpack aliases not resolving for eslint on forks:

  • https://github.com/andrewscfc/simorgh/blob/latest/.eslintrc.js#L51
  • https://github.com/andrewscfc/simorgh/blob/latest/dirAlias.js#L36

I'll try and look into this over the next few weeks or please take a look yourself. It might need similar code to the resolvePath here but haven't had time to dig any deeper.

andrewscfc avatar Oct 14 '22 16:10 andrewscfc

Thanks for reproducing and looking into it. I don't understand how to fix this alias resolution, so I'll wait. Take your time and thank you!

sashashura avatar Oct 20 '22 09:10 sashashura