codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Repo includes Adobe Flash file which cause intelligent firewall to block zipball download by GitHub Actions

Open tfabraham opened this issue 7 months ago • 2 comments

This repo currently includes an .swf (Adobe Flash) file thanks to one of the NPM packages that is pulled into the node_modules tree: node-forge.

Located at: node_modules/node-forge/flash

At our company, our intelligent firewall scans inside the zip file during the zipball download of the repo by GitHub Actions, detects the .swf file and blocks the entire download. As a result, we're unable to do CodeQL scanning on an on-prem server.

tfabraham avatar May 01 '25 21:05 tfabraham

Hi

Can you elaborate which bundle you are using? I tried downloading https://github.com/github/codeql-cli-binaries/releases/download/v2.21.2/codeql.zip from https://github.com/github/codeql-cli-binaries/releases and the only node_modules folder I can find is

find . -name node_modules
./javascript/tools/typescript-parser-wrapper/node_modules

and that folder does not contain a node-forge folder.

hvitved avatar May 02 '25 06:05 hvitved

Hi, thanks for the quick response. I didn't look closely enough at the URL in question. GitHub Actions is actually downloading the repo (/zipball) contents, which does contain the .swf file.

  uses: github/codeql-action/init@v3
...
  uses: github/codeql-action/analyze@v3
...

Download action repository 'github/codeql-action@v3' (SHA:28deaeda66b76a05916b6923827895f2b14ab387)
Warning: Failed to download action 'https://api.github.com/repos/github/codeql-action/zipball/28deaeda66b76a05916b6923827895f2b14ab387'. Error: Error while copying content to a stream.

The error is from our firewall terminating the download when it detects the .swf file. Thank you!

tfabraham avatar May 02 '25 15:05 tfabraham