opensearch-plugins icon indicating copy to clipboard operation
opensearch-plugins copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[FEATURE] Install Gradle Wrapper Validation Action org-wide

Open dbwiddis opened this issue 2 years ago • 7 comments

Is your feature request related to a problem?

The Gradle Wrapper jar file is used extensively by organization repos to run tests. The jar file included with the installation is a binary executable. A nefarious actor could attempt to upload an arbitrary executable containing malicious code under an innocent-sounding PR like "Update Gradle Wrapper". I actually did such a PR (although with valid code) here and here.

Here's what the updated binary looked like during review:

Screen Shot 2022-12-08 at 9 09 19 AM

I'm not sure if the reviewers validated that it was legitimate or just trusted me. :-)

Gradle publishes a Gradle Wrapper Validation Action which can easily be added to a repo's PR workflow. All it does is validate that the SHA-256 checksum matches a legitimate release.

That validation workflow is only presently installed on three opensearch-project repos.

What solution would you like?

Install that workflow to run organization-wide.

Practically speaking, it's copying the content of one of the other workflows from their .github directory to the .github directory of this project. Individual projects can override this default if they choose.

What alternatives have you considered?

Recommending all repo-owners create the workflow, duplicating the configuration.

Do you have any additional context?

See the Gradle Wrapper Validation Action README.

dbwiddis avatar Dec 08 '22 17:12 dbwiddis

Checksum validation at runtiime is a good idea, let's do it. But I think the "malicious actor" story doesn't quite apply, because you're not such an actor and there's a code review from another actor. It's just that we can't examine binaries, so trust but verify.

dblock avatar Dec 12 '22 18:12 dblock

@dbwiddis unfortunately we have other repos which dont use java/gradle build system.

saratvemulapalli avatar Feb 01 '23 21:02 saratvemulapalli

@dbwiddis What do you want to do about this one?

dblock avatar Feb 01 '23 23:02 dblock

I plan to convert this to a template: https://docs.github.com/en/actions/using-workflows/creating-starter-workflows-for-your-organization

Just haven't had the time to do it but haven't forgotten.

dbwiddis avatar Feb 02 '23 00:02 dbwiddis

I've updated my PR opensearch-project/.github#118 to create a template. It will show as a Starter workflow for any project that has a gradle wrapper in its project root.

LMK if you want me to run a campaign to suggest maintainers who use the gradle wrapper to use this workflow.

Once the PR is merged I will create a separate PR to add instructions to https://github.com/opensearch-project/opensearch-plugins/blob/main/WORKFLOWS.md

dbwiddis avatar Feb 05 '23 20:02 dbwiddis

Closed opensearch-project/.github#118. Leaving this issue open as a reminder to me to add the workflow in opensearch-plugins. Maintainers feel free to move this issue there.

dbwiddis avatar Feb 09 '23 16:02 dbwiddis

Moved. You could start with opensearch-plugin-template-java.

dblock avatar Feb 09 '23 17:02 dblock