mirror of
https://github.com/actions/checkout.git
synced 2026-07-16 00:33:06 +08:00
skip running unsafe pr check if input is default (backport #2518 to releases/v5)
This commit is contained in:
committed by
GitHub
parent
6026fb2ad3
commit
30e4b40138
@@ -145,4 +145,50 @@ describe('input-helper tests', () => {
|
|||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
expect(settings.workflowOrganizationId).toBe(123456)
|
expect(settings.workflowOrganizationId).toBe(123456)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('unsafe PR checkout guard', () => {
|
||||||
|
const forkPayload = {
|
||||||
|
repository: {id: 100},
|
||||||
|
pull_request: {
|
||||||
|
head: {
|
||||||
|
sha: '1234567890123456789012345678901234567890',
|
||||||
|
repo: {id: 200, full_name: 'attacker/fork'}
|
||||||
|
},
|
||||||
|
merge_commit_sha: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
||||||
|
const originalEvent = github.context.eventName
|
||||||
|
const originalPayload = github.context.payload
|
||||||
|
try {
|
||||||
|
github.context.eventName = 'pull_request_target'
|
||||||
|
github.context.payload = forkPayload as any
|
||||||
|
// Simulate a rebase/fast-forward merge where the base tip (event SHA)
|
||||||
|
// equals the PR head SHA. The default self-checkout must still succeed.
|
||||||
|
github.context.sha = '1234567890123456789012345678901234567890'
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
||||||
|
} finally {
|
||||||
|
github.context.eventName = originalEvent
|
||||||
|
github.context.payload = originalPayload
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
it('refuses an explicit fork repository on pull_request_target', async () => {
|
||||||
|
const originalEvent = github.context.eventName
|
||||||
|
const originalPayload = github.context.payload
|
||||||
|
try {
|
||||||
|
github.context.eventName = 'pull_request_target'
|
||||||
|
github.context.payload = forkPayload as any
|
||||||
|
inputs.repository = 'attacker/fork'
|
||||||
|
await expect(inputHelper.getInputs()).rejects.toThrow(
|
||||||
|
/Refusing to check out fork pull request code/
|
||||||
|
)
|
||||||
|
} finally {
|
||||||
|
github.context.eventName = originalEvent
|
||||||
|
github.context.payload = originalPayload
|
||||||
|
}
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|||||||
Vendored
+7
@@ -1986,12 +1986,19 @@ function getInputs() {
|
|||||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||||
'TRUE';
|
'TRUE';
|
||||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||||
|
// The default self-checkout (this repository with no explicit ref) always
|
||||||
|
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||||
|
// the fork-checkout guard only needs to run when the caller customized the
|
||||||
|
// repository or ref.
|
||||||
|
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref');
|
||||||
|
if (!isDefaultCheckout) {
|
||||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||||
qualifiedRepository,
|
qualifiedRepository,
|
||||||
ref: result.ref,
|
ref: result.ref,
|
||||||
commit: result.commit,
|
commit: result.commit,
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
});
|
});
|
||||||
|
}
|
||||||
return result;
|
return result;
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -168,12 +168,19 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
'TRUE'
|
'TRUE'
|
||||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||||
|
|
||||||
|
// The default self-checkout (this repository with no explicit ref) always
|
||||||
|
// resolves to the trusted ref/commit GitHub set for the triggering event, so
|
||||||
|
// the fork-checkout guard only needs to run when the caller customized the
|
||||||
|
// repository or ref.
|
||||||
|
const isDefaultCheckout = isWorkflowRepository && !core.getInput('ref')
|
||||||
|
if (!isDefaultCheckout) {
|
||||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||||
qualifiedRepository,
|
qualifiedRepository,
|
||||||
ref: result.ref,
|
ref: result.ref,
|
||||||
commit: result.commit,
|
commit: result.commit,
|
||||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||||
})
|
})
|
||||||
|
}
|
||||||
|
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user