oss/forgejo-runner
oss/forgejo-runner
1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-08-21 18:11:06 +00:00
Code Wiki Activity

fix: composite action input pollution (#2348)

Browse source 
* fix: composite action input pollution

* fix run steps

* fix missing defaults in post after env cleanup

* fix test to make more sense

* Add tests and simplify change

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
(cherry picked from commit 54245641d28fc496152684e151043ce0c7389086)

Conflicts:
	act/runner/step_test.go
    the modified test does not exist in the Forgejo runner
This commit is contained in:
ChristopherHX 2024-06-05 16:44:44 +02:00 committed by Earl Warren
parent a737f197c7
commit cb99c53dc1
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
15 changed files with 181 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
act/runner/action.go
View file

@ -711,6 +711,7 @@ func runPostStep(step actionStep) common.Executor {
case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16, model.ActionRunsUsingNode20:
populateEnvsFromSavedState(step.getEnv(), step, rc)
populateEnvsFromInput(ctx, step.getEnv(), step.getActionModel(), rc)
containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Post)}
logger.Debugf("executing remote job container: %s", containerArgs)

2
act/runner/runner_test.go
View file

@ -251,6 +251,8 @@ func TestRunner_RunEvent(t *testing.T) {
// Uses
{workdir, "uses-composite", "push", "", platforms, secrets},
{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms, secrets},
{workdir, "uses-composite-check-for-input-collision", "push", "", platforms, secrets},
{workdir, "uses-composite-check-for-input-shadowing", "push", "", platforms, secrets},
{workdir, "uses-nested-composite", "push", "", platforms, secrets},
// {workdir, "remote-action-composite-js-pre-with-defaults", "push", "", platforms, secrets},
{workdir, "remote-action-composite-action-ref", "push", "", platforms, secrets},

10
act/runner/step.go
View file

@ -262,6 +262,16 @@ func mergeEnv(ctx context.Context, step step) {
}
rc.withGithubEnv(ctx, step.getGithubContext(ctx), *env)
if step.getStepModel().Uses != "" {
// prevent uses action input pollution of unset parameters, skip this for run steps
// due to design flaw
for key := range *env {
if strings.Contains(key, "INPUT_") {
delete(*env, key)
}
}
}
}
func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage) (bool, error) {

16
act/runner/testdata/uses-composite-check-for-input-collision/action-with-pre-and-post/action.yml vendored Normal file
View file

@ -0,0 +1,16 @@
name: "Action with pre and post"
description: "Action with pre and post"
inputs:
step:
description: "step"
required: true
cache:
required: false
default: false
runs:
using: "node16"
pre: pre.js
main: main.js
post: post.js

14
act/runner/testdata/uses-composite-check-for-input-collision/action-with-pre-and-post/main.js vendored Normal file
View file

@ -0,0 +1,14 @@
const { appendFileSync } = require('fs');
const step = process.env['INPUT_STEP'];
appendFileSync(process.env['GITHUB_ENV'], `TEST=${step}`, { encoding:'utf-8' })
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

14
act/runner/testdata/uses-composite-check-for-input-collision/action-with-pre-and-post/post.js vendored Normal file
View file

@ -0,0 +1,14 @@
const { appendFileSync } = require('fs');
const step = process.env['INPUT_STEP'];
appendFileSync(process.env['GITHUB_ENV'], `TEST=${step}-post`, { encoding:'utf-8' })
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

12
act/runner/testdata/uses-composite-check-for-input-collision/action-with-pre-and-post/pre.js vendored Normal file
View file

@ -0,0 +1,12 @@
console.log('pre');
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

16
act/runner/testdata/uses-composite-check-for-input-collision/composite_action/action.yml vendored Normal file
View file

@ -0,0 +1,16 @@
name: "Test Composite Action"
description: "Test action uses composite"
inputs:
cache:
default: none
runs:
using: "composite"
steps:
- uses: ./uses-composite-check-for-input-collision/action-with-pre-and-post
with:
step: step1
- uses: ./uses-composite-check-for-input-collision/action-with-pre-and-post
with:
step: step2

10
act/runner/testdata/uses-composite-check-for-input-collision/push.yml vendored Normal file
View file

@ -0,0 +1,10 @@
name: uses-composite-with-pre-and-post-steps
on: push
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: echo -n "STEP_OUTPUT_TEST=empty" >> $GITHUB_ENV
- uses: ./uses-composite-check-for-input-collision/composite_action

16
act/runner/testdata/uses-composite-check-for-input-shadowing/action-with-pre-and-post/action.yml vendored Normal file
View file

@ -0,0 +1,16 @@
name: "Action with pre and post"
description: "Action with pre and post"
inputs:
step:
description: "step"
required: true
cache:
required: false
default: false
runs:
using: "node16"
pre: pre.js
main: main.js
post: post.js

14
act/runner/testdata/uses-composite-check-for-input-shadowing/action-with-pre-and-post/main.js vendored Normal file
View file

@ -0,0 +1,14 @@
const { appendFileSync } = require('fs');
const step = process.env['INPUT_STEP'];
appendFileSync(process.env['GITHUB_ENV'], `TEST=${step}`, { encoding:'utf-8' })
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

14
act/runner/testdata/uses-composite-check-for-input-shadowing/action-with-pre-and-post/post.js vendored Normal file
View file

@ -0,0 +1,14 @@
const { appendFileSync } = require('fs');
const step = process.env['INPUT_STEP'];
appendFileSync(process.env['GITHUB_ENV'], `TEST=${step}-post`, { encoding:'utf-8' })
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

12
act/runner/testdata/uses-composite-check-for-input-shadowing/action-with-pre-and-post/pre.js vendored Normal file
View file

@ -0,0 +1,12 @@
console.log('pre');
var cache = process.env['INPUT_CACHE']
try {
var cache = JSON.parse(cache)
} catch {
}
if(typeof cache !== 'boolean') {
console.log("Input Polluted boolean true/false expected, got " + cache)
process.exit(1);
}

18
act/runner/testdata/uses-composite-check-for-input-shadowing/composite_action/action.yml vendored Normal file
View file

@ -0,0 +1,18 @@
name: "Test Composite Action"
description: "Test action uses composite"
inputs:
cache:
default: true
runs:
using: "composite"
steps:
- uses: ./uses-composite-check-for-input-shadowing/action-with-pre-and-post
with:
step: step1
cache: ${{ inputs.cache || 'none' }}
- uses: ./uses-composite-check-for-input-shadowing/action-with-pre-and-post
with:
step: step2
cache: ${{ inputs.cache || 'none' }}

12
act/runner/testdata/uses-composite-check-for-input-shadowing/push.yml vendored Normal file
View file

@ -0,0 +1,12 @@
name: uses-composite-with-pre-and-post-steps
on: push
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: echo -n "STEP_OUTPUT_TEST=empty" >> $GITHUB_ENV
- uses: ./uses-composite-check-for-input-shadowing/composite_action
# with:
# cache: other