From a71cadef91d468c22116cbbaf4ae568ab2627aa0 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Mon, 16 Dec 2024 14:34:42 -0800 Subject: [PATCH] ci: Read build matrix JSON explicitly (#219) Because we used require() to read build-matrix.json, the file could be replaced with build-matrix.json.js, allowing code injection into our CI pipelines. This fixes this vulnerability by reading the JSON text with the fs module, then explicitly parsing it, rather than relying on require(). This exploit was discovered by a researcher, and the researcher's activity was spotted within hours. Workflows were immediately suspended. No evidence has been found of any tampering in this repository or its releases. Issue #216 --- .github/workflows/build-and-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index e5132ae..25cdf9d 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -42,7 +42,6 @@ jobs: steps: - uses: actions/checkout@v4 with: - path: repo-src ref: ${{ inputs.ref || (github.event.number && format('refs/pull/{0}/merge', github.event.number)) }} - name: Configure Build Matrix @@ -55,7 +54,8 @@ jobs: // Use ENABLE_SELF_HOSTED to decide what the build matrix below // should include. - const {hosted, selfHosted, pythonVersions} = require("${{ github.workspace }}/repo-src/build-matrix.json"); + const buildMatrix = JSON.parse(fs.readFileSync("${{ github.workspace }}/build-matrix.json")); + const {hosted, selfHosted, pythonVersions} = buildMatrix; const devices = enableSelfHosted ? hosted.concat(selfHosted) : hosted; const matrix = [];