mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
9928c7d828
* fix: harden GitHub Actions against script injection vulnerabilities
Replace direct ${{ }} expression interpolation in run: blocks with
environment variables to prevent script injection attacks. Changes:
- archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars
- non-maintainer-dependency-change.yml: move user.login to env var
- issue-unlabeled.yml: move toJSON(labels) to env var
- issue-labeled.yml: move issue.number to env var
- pipeline-electron-lint.yml: validate chromium_revision format
- cipd-install/action.yml: move all inputs to env vars and quote them
- set-chromium-cookie/action.yml: reference secrets via $ENV_VAR
- Add security comments to all 5 pull_request_target workflows
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
* fix: allow version strings in chromium_revision validation
The previous regex `^[a-f0-9]+$` only matched git SHAs but
chromium_revision is a version string like `148.0.7741.0`.
Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell
metacharacters.
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
---------
Co-authored-by: Claude <noreply@anthropic.com>
57 lines
2.4 KiB
YAML
57 lines
2.4 KiB
YAML
name: 'Set Chromium Git Cookie'
|
|
description: 'Sets an authenticated cookie from Chromium to allow for a higher request limit'
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Set the git cookie from chromium.googlesource.com (Unix)
|
|
if: ${{ runner.os != 'Windows' }}
|
|
shell: bash
|
|
run: |
|
|
if [[ -z "$CHROMIUM_GIT_COOKIE" ]]; then
|
|
echo "CHROMIUM_GIT_COOKIE is not set - cannot authenticate."
|
|
exit 0
|
|
fi
|
|
|
|
eval 'set +o history' 2>/dev/null || setopt HIST_IGNORE_SPACE 2>/dev/null
|
|
touch ~/.gitcookies
|
|
chmod 0600 ~/.gitcookies
|
|
|
|
git config --global http.cookiefile ~/.gitcookies
|
|
|
|
echo "$CHROMIUM_GIT_COOKIE" | tr , \\t >>~/.gitcookies
|
|
eval 'set -o history' 2>/dev/null || unsetopt HIST_IGNORE_SPACE 2>/dev/null
|
|
|
|
RESPONSE=$(curl -s -b ~/.gitcookies https://chromium-review.googlesource.com/a/accounts/self)
|
|
if [[ $RESPONSE == ")]}'"* ]]; then
|
|
# Extract account email for verification
|
|
EMAIL=$(echo "$RESPONSE" | tail -c +5 | jq -r '.email // "No email found"')
|
|
echo "Cookie authentication successful - authenticated as: $EMAIL"
|
|
else
|
|
echo "Cookie authentication failed - ensure CHROMIUM_GIT_COOKIE is set correctly"
|
|
echo $RESPONSE
|
|
fi
|
|
- name: Set the git cookie from chromium.googlesource.com (Windows)
|
|
if: ${{ runner.os == 'Windows' }}
|
|
shell: cmd
|
|
run: |
|
|
if "%CHROMIUM_GIT_COOKIE_WINDOWS_STRING%"=="" (
|
|
echo CHROMIUM_GIT_COOKIE_WINDOWS_STRING is not set - cannot authenticate.
|
|
exit /b 0
|
|
)
|
|
|
|
git config --global http.cookiefile "%USERPROFILE%\.gitcookies"
|
|
powershell -noprofile -nologo -command Write-Output $env:CHROMIUM_GIT_COOKIE_WINDOWS_STRING >>"%USERPROFILE%\.gitcookies"
|
|
|
|
curl -s -b "%USERPROFILE%\.gitcookies" https://chromium-review.googlesource.com/a/accounts/self > response.txt
|
|
|
|
findstr /B /C:")]}'" response.txt > nul
|
|
if %ERRORLEVEL% EQU 0 (
|
|
echo Cookie authentication successful
|
|
powershell -NoProfile -Command "& {$content = Get-Content -Raw response.txt; $content = $content.Substring(4); try { $json = ConvertFrom-Json $content; if($json.email) { Write-Host 'Authenticated as:' $json.email } else { Write-Host 'No email found in response' } } catch { Write-Host 'Error parsing JSON:' $_ }}"
|
|
) else (
|
|
echo Cookie authentication failed - ensure CHROMIUM_GIT_COOKIE_WINDOWS_STRING is set correctly
|
|
type response.txt
|
|
)
|
|
|
|
del response.txt
|