diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index e73086ad6..a86ac2592 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -69,12 +69,6 @@ jobs: ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 - - name: Check Dangerous Command Injection - run: | - export WORKSPACE=${{ github.workspace }} - cd ${{ github.workspace }} - bash -x .github/workflows/scripts/check_cmd_injection.sh - - name: Clone Required Repo run: | cd ${{ github.workspace }}/${{ inputs.example }}/docker_image_build diff --git a/.github/workflows/_get-test-matrix.yml b/.github/workflows/_get-test-matrix.yml index 31a8e177f..c1f54d926 100644 --- a/.github/workflows/_get-test-matrix.yml +++ b/.github/workflows/_get-test-matrix.yml @@ -41,7 +41,14 @@ jobs: with: ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 - + + - name: Check Dangerous Command Injection + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + run: | + export WORKSPACE=${{ github.workspace }} + cd ${{ github.workspace }} + bash -x .github/workflows/scripts/check_cmd_injection.sh + - name: Get test matrix id: get-test-matrix run: | diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index 8408d3bc5..e386720d7 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -5,15 +5,16 @@ set -e cd ${WORKSPACE} [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +source .github/workflows/scripts/change_color # docker control/rm/scp/rsync/git cmd check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") # exclude path -exclude_check_path="${WORKSPACE}/.github/workflows/scripts" +exclude_check_path=".github/workflows/scripts" # get change file lists (exclude delete files) git fetch origin main -change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') +change_files=$(git diff FETCH_HEAD --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') status="success" for file in ${change_files}; @@ -26,22 +27,13 @@ do exit 0 fi # get added command - git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file - #cat diff_file | while read line; do - # echo $line; - # for (( i=0; i<${#check_list[@]}; i++)); do - # if [[ $line == *"${check_list[$i]}"* ]]; then - # echo "Found Dangerous Command: $line in $file, Please Check" - # status="failed" - # fi; - # done; - #done - for (( i=0; i<${#check_list[@]}; i++)); do + git diff FETCH_HEAD ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file + for (( i=0; i<${#check_list[@]}; i++)); do if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then - echo "Found Dangerous Command: $line in $file, Please Check" + $BOLD_RED && echo "Found Dangerous Command: [ ${check_list[$i]} ] in [ $file ], Please Check" status="failed" - fi; - done; + fi; + done; done [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file [[ $status == "failed" ]] && exit 1 || exit 0