From c1cfb8e860be7e7b6924461531ae536c22780c7b Mon Sep 17 00:00:00 2001 From: Frazer Smith Date: Fri, 15 Aug 2025 09:14:53 +0100 Subject: [PATCH 1/3] fix: avoid potential code injection --- .github/workflows/plugins-benchmark-pr.yml | 14 ++++++++++---- .github/workflows/plugins-ci-elasticsearch.yml | 5 +++-- .github/workflows/plugins-ci-kafka.yml | 5 +++-- .github/workflows/plugins-ci-mongo.yml | 4 +++- .github/workflows/plugins-ci-mysql.yml | 4 +++- .github/workflows/plugins-ci-postgres.yml | 9 ++++++--- .github/workflows/plugins-ci-redis.yml | 4 +++- .github/workflows/plugins-ci.yml | 4 +++- 8 files changed, 34 insertions(+), 15 deletions(-) diff --git a/.github/workflows/plugins-benchmark-pr.yml b/.github/workflows/plugins-benchmark-pr.yml index 8770b66..cd6aaf1 100644 --- a/.github/workflows/plugins-benchmark-pr.yml +++ b/.github/workflows/plugins-benchmark-pr.yml @@ -41,6 +41,8 @@ jobs: benchmark: if: ${{ github.event.label.name == 'benchmark' }} runs-on: ubuntu-latest + env: + NPM_SCRIPT: ${{ inputs.npm-script }} permissions: contents: read outputs: @@ -73,9 +75,11 @@ jobs: - name: Run benchmark ${{ inputs.pr-repo }}@${{ inputs.pr-ref }} id: benchmark-pr + env: + NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${{matrix.node-version}}<> $GITHUB_OUTPUT - npm run --silent ${{inputs.npm-script}} >> $GITHUB_OUTPUT + echo 'BENCH_RESULT_${NODE_VERSION}<> $GITHUB_OUTPUT + npm run --silent "$NPM_SCRIPT" >> $GITHUB_OUTPUT echo 'EOF' >> $GITHUB_OUTPUT - name: Checkout ${{ inputs.base-repo }}@${{ inputs.base-ref }} @@ -91,9 +95,11 @@ jobs: - name: Run benchmark ${{ inputs.base-repo }}@${{ inputs.base-ref }} id: benchmark-base + env: + NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${{matrix.node-version}}<> $GITHUB_OUTPUT - npm run --silent ${{inputs.npm-script}} >> $GITHUB_OUTPUT + echo 'BENCH_RESULT_${NODE_VERSION}<> $GITHUB_OUTPUT + npm run --silent "$NPM_SCRIPT" >> $GITHUB_OUTPUT echo 'EOF' >> $GITHUB_OUTPUT output-benchmark: diff --git a/.github/workflows/plugins-ci-elasticsearch.yml b/.github/workflows/plugins-ci-elasticsearch.yml index b3a89a2..f44571a 100644 --- a/.github/workflows/plugins-ci-elasticsearch.yml +++ b/.github/workflows/plugins-ci-elasticsearch.yml @@ -74,8 +74,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} - + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code if: > diff --git a/.github/workflows/plugins-ci-kafka.yml b/.github/workflows/plugins-ci-kafka.yml index 0fc19d2..0c485eb 100644 --- a/.github/workflows/plugins-ci-kafka.yml +++ b/.github/workflows/plugins-ci-kafka.yml @@ -69,8 +69,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} - + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code if: > diff --git a/.github/workflows/plugins-ci-mongo.yml b/.github/workflows/plugins-ci-mongo.yml index 23ba752..c8d3808 100644 --- a/.github/workflows/plugins-ci-mongo.yml +++ b/.github/workflows/plugins-ci-mongo.yml @@ -69,7 +69,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code diff --git a/.github/workflows/plugins-ci-mysql.yml b/.github/workflows/plugins-ci-mysql.yml index d1cc443..0144fdd 100644 --- a/.github/workflows/plugins-ci-mysql.yml +++ b/.github/workflows/plugins-ci-mysql.yml @@ -69,7 +69,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code diff --git a/.github/workflows/plugins-ci-postgres.yml b/.github/workflows/plugins-ci-postgres.yml index 22c1c81..d476a4c 100644 --- a/.github/workflows/plugins-ci-postgres.yml +++ b/.github/workflows/plugins-ci-postgres.yml @@ -69,7 +69,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code @@ -136,6 +138,8 @@ jobs: run: npm i - name: CI environment setup + env: + PGPORT: ${{ job.services.postgres.ports[5432] }} run: > npm i node-gyp @@ -143,8 +147,7 @@ jobs: chmod 600 .pgpass - PGPASSFILE=.pgpass psql -h localhost -p ${{ - job.services.postgres.ports[5432] }} -d postgres -c 'CREATE TABLE + PGPASSFILE=.pgpass psql -h localhost -p "$PGPORT" -d postgres -c 'CREATE TABLE users(id serial PRIMARY KEY, username VARCHAR (50) NOT NULL);' -U postgres diff --git a/.github/workflows/plugins-ci-redis.yml b/.github/workflows/plugins-ci-redis.yml index f5f8450..b135d15 100644 --- a/.github/workflows/plugins-ci-redis.yml +++ b/.github/workflows/plugins-ci-redis.yml @@ -69,7 +69,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code diff --git a/.github/workflows/plugins-ci.yml b/.github/workflows/plugins-ci.yml index 145ff91..9a277e5 100644 --- a/.github/workflows/plugins-ci.yml +++ b/.github/workflows/plugins-ci.yml @@ -74,7 +74,9 @@ jobs: run: npm i --ignore-scripts - name: Check Licenses - run: ${{ format('npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;{0}"', inputs.license-check-allowed-additional) }} + env: + ALLOWED_ADDITIONAL: ${{ inputs.license-check-allowed-additional }} + run: npx license-checker --production --summary --onlyAllow="0BSD;Apache-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;ISC;MIT;$ALLOWED_ADDITIONAL" linter: name: Lint Code From c1741263789270bd455bf21ad778cd0047969acd Mon Sep 17 00:00:00 2001 From: Frazer Smith Date: Fri, 15 Aug 2025 09:28:59 +0100 Subject: [PATCH 2/3] fix: double quoting to avoid word splitting and globbing --- .github/workflows/plugins-benchmark-pr.yml | 12 ++++++------ .github/workflows/plugins-ci.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/plugins-benchmark-pr.yml b/.github/workflows/plugins-benchmark-pr.yml index cd6aaf1..0fadb77 100644 --- a/.github/workflows/plugins-benchmark-pr.yml +++ b/.github/workflows/plugins-benchmark-pr.yml @@ -78,9 +78,9 @@ jobs: env: NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${NODE_VERSION}<> $GITHUB_OUTPUT - npm run --silent "$NPM_SCRIPT" >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT + echo 'BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" + npm run --silent "$NPM_SCRIPT" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" - name: Checkout ${{ inputs.base-repo }}@${{ inputs.base-ref }} uses: actions/checkout@v4 @@ -98,9 +98,9 @@ jobs: env: NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${NODE_VERSION}<> $GITHUB_OUTPUT - npm run --silent "$NPM_SCRIPT" >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT + echo 'BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" + npm run --silent "$NPM_SCRIPT" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" output-benchmark: needs: benchmark diff --git a/.github/workflows/plugins-ci.yml b/.github/workflows/plugins-ci.yml index 9a277e5..d83510d 100644 --- a/.github/workflows/plugins-ci.yml +++ b/.github/workflows/plugins-ci.yml @@ -172,7 +172,7 @@ jobs: git clone https://github.com/fastify/fastify.git --depth 1 && cd fastify && npm i --ignore-scripts && - npm link $PACKAGE_NAME && + npm link "$PACKAGE_NAME" && npm run unit automerge: From c5f91e211579a38526ed80423fa1d99d7a1ca800 Mon Sep 17 00:00:00 2001 From: Frazer Smith Date: Fri, 15 Aug 2025 09:29:37 +0100 Subject: [PATCH 3/3] fix: double quote to allow node_version to be expanded --- .github/workflows/plugins-benchmark-pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/plugins-benchmark-pr.yml b/.github/workflows/plugins-benchmark-pr.yml index 0fadb77..463d988 100644 --- a/.github/workflows/plugins-benchmark-pr.yml +++ b/.github/workflows/plugins-benchmark-pr.yml @@ -78,7 +78,7 @@ jobs: env: NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" + echo "BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" npm run --silent "$NPM_SCRIPT" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" @@ -98,7 +98,7 @@ jobs: env: NODE_VERSION: ${{ matrix.node-version }} run: | - echo 'BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" + echo "BENCH_RESULT_${NODE_VERSION}<> "$GITHUB_OUTPUT" npm run --silent "$NPM_SCRIPT" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT"