docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

Possible vulnerability due to bad action example.

Open FeeeeK opened this issue 1 year ago • 5 comments

Code of Conduct

What article on docs.github.com is affected?

Almost every article with actions, for example: https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

What part(s) of the article would you like to see updated?

Removal of ${{ }} in all conditions.

Because of bug in action runners (actions/runner#1173), it can lead to vulnerability. There is no error in the examples themselves (example run), but if you combine this condition with another one, the action will run even if the author isn't dependabot (example run); (example pull request with vulnerability) image image

Additional information

No response

FeeeeK avatar Mar 26 '23 16:03 FeeeeK

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Mar 26 '23 16:03 welcome[bot]

@FeeeeK Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

cmwilson21 avatar Mar 28 '23 14:03 cmwilson21

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar Mar 28 '23 14:03 github-actions[bot]

After taking a look through the Dependabot documentation, I don't think any of our examples are affected.

This issue concern lines where ${{ }} is used multiple times outside of a string. In the Dependabot docs, we always use a single variable interpolation statement as a string.

For example: if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}

This seems like more of a bug than a vulnerability since it would only really affect workflows on an individual's repo, but I would double check that assessment with the Actions team.

Nishnha avatar Apr 05 '23 21:04 Nishnha

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar May 04 '23 16:05 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Jul 11 '23 16:07 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Aug 09 '23 16:08 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Sep 07 '23 16:09 github-actions[bot]

This is a gentle bump for the docs team that this issue is waiting for technical review.

github-actions[bot] avatar Oct 07 '23 16:10 github-actions[bot]

👋 Hey there @FeeeeK. Thank you for this issue and your patience while we're working through the backlog of GitHub Actions issues.

We recently made a few small, but critical changes to the docs about the ${{ }} expression syntax that may help here:

  • In jobs.<job_id>.if

    When you use expressions in an if conditional, you can, optionally, omit the ${{ }} expression syntax because GitHub Actions automatically evaluates the if conditional as an expression. However, this exception does not apply everywhere.

    You must always use the ${{ }} expression syntax or escape with '', "", or () when the expression starts with !, since ! is reserved notation in YAML format. For example:

    if: ${{ ! startsWith(github.ref, 'refs/tags/') }}

    For more information, see "Expressions."

  • In "About expressions"

    Expressions are commonly used with the conditional if keyword in a workflow file to determine whether a step should run. When an if conditional is true, the step will run.

    You need to use specific syntax to tell GitHub to evaluate an expression rather than treat it as a string.

    ${{ <expression> }}

    Note: The exception to this rule is when you are using expressions in an if clause, where, optionally, you can usually omit ${{ and }}. For more information about if conditionals, see "Workflow syntax for GitHub Actions."

However, I do notice that several of the examples in "Automating Dependabot with GitHub Actions" do contain the ${{ }} expression syntax within an if conditional—here, here, here, here, here, and here.

Since the expression syntax isn't required within an if conditional, it may be that all we need to do for this page of the documentation is remove the expression syntax from the examples I listed above.

What do you think about this?

jc-clark avatar Oct 12 '23 18:10 jc-clark

Hello, @jc-clark, yes, right now I think removing it from the example would be enough. By the way, the links you provided lead to https://github.com/github/docs-internal and I don't think it's a public repository

FeeeeK avatar Oct 12 '23 18:10 FeeeeK

Oh excellent point, thank you! I just fixed the links to point to the public repository. Let me know if those links work for you.

For now, I'll add the help-wanted label to this issue for anyone in the open source community to help make a PR to fix this.

The PR should remove the ${{ }} expression syntax within the if conditionals here, here, here, here, here, and here.

jc-clark avatar Oct 12 '23 19:10 jc-clark