fix(ci): build chainlink job #1413
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/build_external.yml
Outdated
| - name: Checkout chainlink repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| push_tag: "" | ||
| cl_repo: smartcontractkit/chainlink | ||
| cl_ref: ${{ env.CUSTOM_CORE_REF }} | ||
| dep_common_sha: ${{ github.event.pull_request.head.sha }} | ||
| should_checkout: true | ||
| QA_AWS_REGION: "" | ||
| QA_AWS_ROLE_TO_ASSUME: "" | ||
| path: chainlink | ||
| repository: smartcontractkit/chainlink | ||
| ref: ${{ steps.get-core-ref.outputs.core-ref }} | ||
|
|
||
| - name: Build /chainlink |
Check warning
Code scanning / CodeQL
Checkout of untrusted code in trusted context Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
General Fix:
The best practice is to avoid using user input (such as a PR comment or PR body) directly as a ref for actions/checkout, especially if it can reference arbitrary commits/branches. Only allow the workflow to checkout trusted refs (for example, only refs that exist in a trusted list, or restrict to branches/tags that match a safe pattern, or only allow a specific set of pre-approved refs).
Detailed Fix for this file:
In this workflow, the core_ref is extracted from the PR body and used to checkout code from the upstream repository at that ref. To fix this, we should validate the value of core_ref before using it in the checkout step. Only allow core_ref to be set to a safe list of refs, such as a whitelist like develop, main, or a specific set of release branches. If the value doesn't match the allowed patterns, default to a safe branch (e.g., develop).
The validation should be done immediately after extracting core_ref, before it is set in the workflow outputs. This can be implemented as a shell check in the get-core-ref step, using a regex or a case statement to allow only known-safe refs.
Required changes:
- In the step
get-core-ref, after extractingcore_ref, validate it against a whitelist. If it doesn't match, fallback todevelop. - No new external dependencies are required.
| @@ -27,11 +27,7 @@ | ||
| run: | | ||
| comment=$(gh pr view https://github.com/${GITHUB_REPOSITORY}/pull/${PR_NUMBER} --json body -q '.body') | ||
| core_ref=$(echo $comment | grep -oP 'core ref: \K\S+' || true) | ||
| if [ ! -z "$core_ref" ]; then | ||
| echo "core-ref=${core_ref}" | tee -a "$GITHUB_OUTPUT" | ||
| else | ||
| echo "core-ref=develop" | tee -a "$GITHUB_OUTPUT" | ||
| fi | ||
| # Only allow core_ref to be one of the trusted branches | ||
|
|
||
| - name: Checkout chainlink-common repo | ||
| uses: actions/checkout@v4 |
erikburt
force-pushed
the
fix/chainlink-image-build
branch
from
36786b0 to
dca6a6c
Compare
erikburt
force-pushed
the
fix/chainlink-image-build
branch
from
dca6a6c to
181faed
Compare
Requires
Supports