Disable set-env and add-pathcommands #779
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thboop
force-pushed
the
disableOldRunnerCommands
branch
from
58328f2 to
c7f8980
Compare
| var configurationStore = HostContext.GetService<IConfigurationStore>(); | ||
| var isHostedServer = configurationStore.GetSettings().IsHostedServer; | ||
|
|
||
| { |
Member
There was a problem hiding this comment.
should this method only has one line?
throw new Exception(String.Format(Constants.Runner.UnsupportedCommandMessageDisabled, this.Command));
| public Type ExtensionType => typeof(IActionCommandExtension); | ||
|
|
||
| public void ProcessCommand(IExecutionContext context, string line, ActionCommand command, ContainerInfo container) | ||
| { |
Member
There was a problem hiding this comment.
should this method only has one line?
throw new Exception(String.Format(Constants.Runner.UnsupportedCommandMessageDisabled, this.Command));
Collaborator
Author
There was a problem hiding this comment.
No because we want users to be able to set ACTIONS_ALLOW_UNSECURE_COMMANDS to use the old commands if needed, some actions may not have updated already and giving users a workaround is helpful until they do get updated!
TingluoHuang
approved these changes
Nov 14, 2020
thboop
added a commit
that referenced
this pull request
Nov 16, 2020
* Disable Old Runner Commands set-env and add-path * update dotnet install scripts * update runner version and release notes
AdamOlech
pushed a commit
to antmicro/runner
that referenced
this pull request
Jan 28, 2021
* Disable Old Runner Commands set-env and add-path * update dotnet install scripts * update runner version and release notes
ghost
mentioned this pull request
5 tasks
TingluoHuang
pushed a commit
that referenced
this pull request
Apr 21, 2021
* Disable Old Runner Commands set-env and add-path * update dotnet install scripts * update runner version and release notes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to stdout. This can result in environment variables being introduced or modified without the intention of the workflow author. To address this issue we have introduced a new set of files to manage environment and path updates in workflows. This PR disables the old commands.
Blog Post
Mitigation
If you are using these old commands, the steps that use them in your workflow will fail. You will want to move towards using Environment Files.
You may also opt into unsecure command execution as well, at a job level or for all jobs on your self hosted runner. We recommend you do not choose to do this, and instead update to the new Environment Files.
ACTIONS_ALLOW_UNSECURE_COMMANDStotrueACTIONS_ALLOW_UNSECURE_COMMANDS=truein the.envfile found at the root of the runner, much like you would set an http_proxy