Protect against script injection attacks (#8)

mjbond-msft · web-flow · commit 374220ad8466 · 2023-06-07T08:09:12.000-07:00
diff --git a/.github/workflows/backport-action.yml b/.github/workflows/backport-action.yml
@@ -1,5 +1,4 @@
 name: Launch Backport Job
-
 on:
   workflow_call:
     inputs:
@@ -40,40 +39,65 @@ on:
       github_account_pat:
         description: PAT for a github account that has write access to source repository
         required: true
-
 jobs:
   launch_ado_build:
     runs-on: ubuntu-latest
+    env:
+      # Protect against script injection attacks via input variables (i.e., the content of the variables could be executed at the time of evaluation/expansion within a script)
+      # Scripts must consume the environment variable settings instead
+      GITHUB_REPOSITORY: "${{ inputs.github_repository }}"
+      GITHUB_ACCOUNT_PAT: "${{ secrets.github_account_pat }}"
+      COMMENT_AUTHOR: "${{ inputs.comment_author }}"
+      PULL_REQUEST_URL: "${{ inputs.pull_request_url }}"
+      TARGET_BRANCH: "${{ inputs.target_branch }}"
+      USE_FORK: "${{ inputs.use_fork }}"
+      ADO_ORGANIZATION: "${{ secrets.ado_organization }}"
+      ADO_PROJECT: "${{ secrets.ado_project }}"
+      ADO_PIPELINE_ID: "${{ secrets.backport_pipeline_id }}"
+      ADO_BUILD_PAT: "${{ secrets.ado_build_pat }}"
     steps:
       - name: Gather Parameters
         id: get_parameters
         run: |
           $statusCode = 0
           $message = ""
           try {
-            ($repoOwner, $repoName) = "${{ inputs.github_repository }}".Split("/")
-            $headers = $headers = @{ Authorization = "token ${{ secrets.github_account_pat }}"}
-            $uri = "https://api.github.com/repos/$repoOwner/$repoName/collaborators/${{ inputs.comment_author }}/permission"
-            Write-Host "Checking $repoOwner membership for ${{ inputs.comment_author }} via $uri"
+            $gitHubRepository = $env:GITHUB_REPOSITORY
+            $gitHubAccountPAT = $env:GITHUB_ACCOUNT_PAT
+            $commentAuthor = $env:COMMENT_AUTHOR
+            $pullRequestUrl = $env:PULL_REQUEST_URL
+            $backportTargetBranch = $env:TARGET_BRANCH
+            $useFork = $env:USE_FORK
+
+            Write-Host "GITHUB_REPOSITORY: ${gitHubRepository}"
+            Write-Host "COMMENT_AUTHOR: ${commentAuthor}"
+            Write-Host "PULL_REQUEST_URL: ${pullRequestUrl}"
+            Write-Host "TARGET_BRANCH: ${backportTargetBranch}"
+            Write-Host "USE_FORK: ${useFork}"
+
+            ($repoOwner, $repoName) = $gitHubRepository.Split("/")
+            $headers = $headers = @{ Authorization = "token ${gitHubAccountPAT}"}
+            $uri = "https://api.github.com/repos/${repoOwner}/${repoName}/collaborators/${commentAuthor}/permission"
+            Write-Host "Checking ${repoOwner} membership for ${commentAuthor} via $uri"
             $response = Invoke-WebRequest -Headers $headers -Uri $uri
             $content = $response.Content | ConvertFrom-Json
             $accessType = $content.permission
             Write-Host "Found membership: $accessType"
             if (-not ($accessType.Equals("admin") -or $accessType.Equals("write"))) {
-              throw "${{ inputs.comment_author }}/permission does not have sufficient permissions for ${{ inputs.github_repository }}"
+              throw "${commentAuthor}/permission does not have sufficient permissions for ${gitHubRepository}"
             }
 
-            Write-Host "Grabbing PR details from ${{ inputs.pull_request_url }}"
-            $response = Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri "${{ inputs.pull_request_url }}" | ConvertFrom-Json
+            Write-Host "Grabbing PR details from ${pullRequestUrl}"
+            $response = Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri "${pullRequestUrl}" | ConvertFrom-Json
             $backportPRNumber = $response.number
 
             $parameters = @{
               BackportRepoName = "$repoName";
               BackportRepoOrg = "$repoOwner";
-              BackportTargetBranch = "${{ inputs.target_branch }}";
+              BackportTargetBranch = "$backportTargetBranch";
               BackportPRNumber = "$backportPRNumber";
               BackportHeadSHA = "$($response.head.sha)";
-              UseFork = "${{ inputs.use_fork }}" -eq "true";
+              UseFork = $useFork -eq "true";
             } | ConvertTo-Json -Compress
 
             $json = $parameters.Replace("`"","'")
@@ -88,10 +112,22 @@ jobs:
         shell: pwsh
 
       - run: |
+          $adoOrganization = $env:ADO_ORGANIZATION
+          $adoProject = $env:ADO_PROJECT
+          $adoPipelineId = $env:ADO_PIPELINE_ID
+          $adoBuildPAT = $env:ADO_BUILD_PAT
+          $gitHubRepository = $env:GITHUB_REPOSITORY
+          $gitHubAccountPAT = $env:GITHUB_ACCOUNT_PAT
+
+          Write-Host "ADO_ORGANIZATION: ${adoOrganization}"
+          Write-Host "ADO_PROJECT: ${adoProject}"
+          Write-Host "ADO_PIPELINE_ID: ${adoPipelineId}"
+          Write-Host "GITHUB_REPOSITORY: ${gitHubRepository}"
+
           $message = ""
           $statusCode = 0
           try {
-            $launchURI = "https://dev.azure.com/${{ secrets.ado_organization }}/${{ secrets.ado_project }}/_apis/pipelines/${{ secrets.backport_pipeline_id }}/runs?api-version=6.0-preview.1"
+            $launchURI = "https://dev.azure.com/${adoOrganization}/${adoProject}/_apis/pipelines/${adoPipelineId}/runs?api-version=6.0-preview.1"
             Write-Host "Grabbing parameters from prior step"
             $parameters = ConvertFrom-Json "${{ steps.get_parameters.outputs.parameters }}"
             Write-Host "$parameters"
@@ -109,13 +145,13 @@ jobs:
 
             Write-Host "Posting to $launchURI"
             Write-Host $jsonBody
-            $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":${{ secrets.ado_build_pat }}"))
+            $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":${adoBuildPAT}"))
             $headers = @{ Authorization = "Basic $encoded"}
 
             $response = Invoke-WebRequest -UseBasicParsing -Method POST -Headers $headers -ContentType "application/json" -Uri $launchURI -Body $jsonBody
             $responseJson = ConvertFrom-Json $response.Content
             echo "Job successfully launched"
-            $message = "Backport Job to branch **$($parameters.BackportTargetBranch)** Created! The magic is happening [here](https://dev.azure.com/${{ secrets.ado_organization }}/${{ secrets.ado_project }}/_build/results?buildId=$($responseJson.id))"
+            $message = "Backport Job to branch **$($parameters.BackportTargetBranch)** Created! The magic is happening [here](https://dev.azure.com/${adoOrganization}/${adoProject}/_build/results?buildId=$($responseJson.id))"
           } catch {
             Write-Host $_.Exception.Message
             $message = "I couldn't create a backport to **$($parameters.BackportTargetBranch)** for you. :( Please check the Action logs for more details."
@@ -125,8 +161,8 @@ jobs:
               body = $message
             } | ConvertTo-Json
 
-            $headers = @{ Authorization = "token ${{ secrets.github_account_pat }}"}
-            $uri = "https://api.github.com/repos/${{ inputs.github_repository }}/issues/${{ steps.get_parameters.outputs.pr_number }}/comments"
+            $headers = @{ Authorization = "token ${gitHubAccountPAT}"}
+            $uri = "https://api.github.com/repos/${gitHubRepository}/issues/${{ steps.get_parameters.outputs.pr_number }}/comments"
 
 
             Write-Host "Posting to $uri"
diff --git a/README.md b/README.md
@@ -6,18 +6,37 @@ Contains an action that's responsible for running an Azure DevOps build which ba
 
 ## Trademarks
 
-This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 
-trademarks or logos is subject to and must follow 
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
+trademarks or logos is subject to and must follow
 [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
 Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
 Any use of third-party trademarks or logos are subject to those third-party's policies.
 
 
-## Deploying
+## Testing
+
+You can test changes from your topic branch (PR branch) by using the `v1.0-test` tag. Associate the tag with your latest changes by performing the following steps
+
+```
+git checkout [TOPIC_BRANCH_NAME]
+git tag -f v1.0-test
+git push --tags --force
+```
+
+To excercise your changes associated with the `v1.0-test` tag, use the following test PR
+https://github.com/xamarin/backport-bot-action/pull/11
+
+Apply the following comment to the PR
+
+```
+@gitbot backport backport-target
+```
 
-Release management of the backport bot action is done though git tags. At present, the current release can be found at `v1.0`.
+See the [test PR](https://github.com/xamarin/backport-bot-action/pull/11) for additional guidance & details
+
+## Deploying
 
-For Staging, please use the `v1.0-alpha` tag or create a new tag specific to your PR, especially if there are multiple changes in flight.
+Release management of the backport bot action is done though git tags. At present, the current release can be found at `v1.1`.
 
 To deploy your changes, please:
 
@@ -30,7 +49,7 @@ git tag -f $TAG_NAME
 ```bash
 git push --tags
 ```
-Please note that for updating the `v1.0` tag (or any other tag you want to push if it already exists), you will need to `push --force` to overwrite the existing tag.
+Please note that for updating the `v1.1` tag (or any other tag you want to push if it already exists), you will need to `push --force` to overwrite the existing tag.
 
 In order to pick up the changes for Staging, make sure that the backport trigger YAML in your target repo (usually found at https://github.com/xamarin/$REPO_NAME/blob/main/.github/workflows/backport-trigger.yml) points to your desired tag.
 
@@ -39,3 +58,9 @@ For example, https://github.com/xamarin/.github/blob/main/.github/workflows/back
       - uses: xamarin/backport-bot-action@$TAG_NAME
 ```
 where `$TAG_NAME` is filled in with the actual name of the tag.
+
+You can list tags by executing the following command
+
+```
+git tag
+```
diff --git a/action.yml b/action.yml
@@ -1,6 +1,5 @@
 name: Backport Pull Request from Comment
 description: Launches a Backport Job from a GitHub Comment on an Issue
-author: Connor Adsit <cadsit@microsoft.com>
 inputs:
   pull_request_url:
     description: URL of the pull request from the issue comment event
@@ -34,32 +33,63 @@ inputs:
     required: false
     default: 'false'
 
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs
 runs:
   using: "composite"
+  # https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runsenv
+  env:
+    # Protect against script injection attacks via input variables (i.e., the content of the variables could be executed at the time of evaluation/expansion within a script)
+    # Scripts must consume the environment variable settings instead
+    GITHUB_REPOSITORY: "${{ inputs.github_repository }}"
+    GITHUB_ACCOUNT_PAT: "${{ inputs.github_account_pat }}"
+    COMMENT_AUTHOR: "${{ inputs.comment_author }}"
+    COMMENT_BODY: "${{ inputs.comment_body }}"
+    PULL_REQUEST_URL: "${{ inputs.pull_request_url }}"
+    USE_FORK: "${{ inputs.use_fork }}"
+    ADO_ORGANIZATION: "${{ inputs.ado_organization }}"
+    ADO_PROJECT: "${{ inputs.ado_project }}"
+    ADO_PIPELINE_ID: "${{ inputs.backport_pipeline_id }}"
+    ADO_BUILD_PAT: "${{ inputs.ado_build_pat }}"
   steps:
     - name: Gather Parameters
       id: get_parameters
       run: |
         $statusCode = 0
         $message = ""
         try {
-          ($repoOwner, $repoName) = "${{ inputs.github_repository }}".Split("/")
-          $headers = $headers = @{ Authorization = "token ${{ inputs.github_account_pat }}"}
-          $uri = "https://api.github.com/repos/$repoOwner/$repoName/collaborators/${{ inputs.comment_author }}/permission"
-          Write-Host "Checking $repoOwner membership for ${{ inputs.comment_author }} via $uri"
+          $gitHubRepository = $env:GITHUB_REPOSITORY
+          $gitHubAccountPAT = $env:GITHUB_ACCOUNT_PAT
+          $commentAuthor = $env:COMMENT_AUTHOR
+          $pullRequestUrl = $env:PULL_REQUEST_URL
+          $useFork = $env:USE_FORK
+
+          Write-Host "GITHUB_REPOSITORY: ${gitHubRepository}"
+          Write-Host "COMMENT_AUTHOR: ${commentAuthor}"
+          Write-Host "PULL_REQUEST_URL: ${pullRequestUrl}"
+          Write-Host "USE_FORK: ${useFork}"
+
+          ($repoOwner, $repoName) = $gitHubRepository.Split("/")
+          $headers = $headers = @{ Authorization = "token ${gitHubAccountPAT}"}
+          $uri = "https://api.github.com/repos/${repoOwner}/${repoName}/collaborators/${commentAuthor}/permission"
+          Write-Host "Checking ${repoOwner} membership for ${commentAuthor} via $uri"
           $response = Invoke-WebRequest -Headers $headers -Uri $uri
           $content = $response.Content | ConvertFrom-Json
           $accessType = $content.permission
           Write-Host "Found membership: $accessType"
           if (-not ($accessType.Equals("admin") -or $accessType.Equals("write"))) {
-            throw "${{ inputs.comment_author }}/permission does not have sufficient permissions for ${{ inputs.github_repository }}"
+            throw "${commentAuthor}/permission does not have sufficient permissions for ${gitHubRepository}"
           }
 
-          Write-Host "Parsing ${{ inputs.comment_body }}"
-          ($botName, $backport, $backportTargetBranch) = [System.Text.RegularExpressions.Regex]::Split("${{ inputs.comment_body }}", "\s+")
+          $commentBody = $env:COMMENT_BODY
+          Write-Host "--------------------------------------------------------------------------------"
+          Write-Host "COMMENT_BODY"
+          Write-Host "--------------------------------------------------------------------------------"
+          Write-Host $commentBody
+
+          ($botName, $backport, $backportTargetBranch) = [System.Text.RegularExpressions.Regex]::Split($commentBody, "\s+")
 
-          Write-Host "Grabbing PR details from ${{ inputs.pull_request_url }}"
-          $response = Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri "${{ inputs.pull_request_url }}" | ConvertFrom-Json
+          Write-Host "Grabbing PR details from ${pullRequestUrl}"
+          $response = Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri "${pullRequestUrl}" | ConvertFrom-Json
           $backportPRNumber = $response.number
 
           $parameters = @{
@@ -68,7 +98,7 @@ runs:
             BackportTargetBranch = "$backportTargetBranch";
             BackportPRNumber = "$backportPRNumber";
             BackportHeadSHA = "$($response.head.sha)";
-            UseFork = "${{ inputs.use_fork }}" -eq "true";
+            UseFork = $useFork -eq "true";
           } | ConvertTo-Json -Compress
 
           $json = $parameters.Replace("`"","'")
@@ -85,10 +115,22 @@ runs:
     - name: Launch ADO Build
       id: ado_build
       run: |
+        $adoOrganization = $env:ADO_ORGANIZATION
+        $adoProject = $env:ADO_PROJECT
+        $adoPipelineId = $env:ADO_PIPELINE_ID
+        $adoBuildPAT = $env:ADO_BUILD_PAT
+        $gitHubRepository = $env:GITHUB_REPOSITORY
+        $gitHubAccountPAT = $env:GITHUB_ACCOUNT_PAT
+
+        Write-Host "ADO_ORGANIZATION: ${adoOrganization}"
+        Write-Host "ADO_PROJECT: ${adoProject}"
+        Write-Host "ADO_PIPELINE_ID: ${adoPipelineId}"
+        Write-Host "GITHUB_REPOSITORY: ${gitHubRepository}"
+
         $message = ""
         $statusCode = 0
         try {
-          $launchURI = "https://dev.azure.com/${{ inputs.ado_organization }}/${{ inputs.ado_project }}/_apis/pipelines/${{ inputs.backport_pipeline_id }}/runs?api-version=6.0-preview.1"
+          $launchURI = "https://dev.azure.com/${adoOrganization}/${adoProject}/_apis/pipelines/${adoPipelineId}/runs?api-version=6.0-preview.1"
           Write-Host "Grabbing parameters from prior step"
           $parameters = ConvertFrom-Json "${{ steps.get_parameters.outputs.parameters }}"
           Write-Host "$parameters"
@@ -106,13 +148,13 @@ runs:
 
           Write-Host "Posting to $launchURI"
           Write-Host $jsonBody
-          $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":${{ inputs.ado_build_pat }}"))
+          $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":${adoBuildPAT}"))
           $headers = @{ Authorization = "Basic $encoded"}
 
           $response = Invoke-WebRequest -UseBasicParsing -Method POST -Headers $headers -ContentType "application/json" -Uri $launchURI -Body $jsonBody
           $responseJson = ConvertFrom-Json $response.Content
           echo "Job successfully launched"
-          $message = "Backport Job to branch **$($parameters.BackportTargetBranch)** Created! The magic is happening [here](https://dev.azure.com/${{ inputs.ado_organization }}/${{ inputs.ado_project }}/_build/results?buildId=$($responseJson.id))"
+          $message = "Backport Job to branch **$($parameters.BackportTargetBranch)** Created! The magic is happening [here](https://dev.azure.com/${adoOrganization}/${adoProject}/_build/results?buildId=$($responseJson.id))"
         } catch {
           Write-Host $_.Exception.Message
           $message = "I couldn't create a backport to **$($parameters.BackportTargetBranch)** for you. :( Please check the Action logs for more details."
@@ -122,8 +164,8 @@ runs:
             body = $message
           } | ConvertTo-Json
 
-          $headers = @{ Authorization = "token ${{ inputs.github_account_pat }}"}
-          $uri = "https://api.github.com/repos/${{ inputs.github_repository }}/issues/${{ steps.get_parameters.outputs.pr_number }}/comments"
+          $headers = @{ Authorization = "token ${gitHubAccountPAT}"}
+          $uri = "https://api.github.com/repos/${gitHubRepository}/issues/${{ steps.get_parameters.outputs.pr_number }}/comments"
 
 
           Write-Host "Posting to $uri"
