Support retrieving specific repository files before executing script #326
Comments
|
Also, I'd commit to doing the work myself and submitting a PR |
|
👋 Thanks for the feature request @jeremy-boschen, this sounds interesting! It might be worth thinking about where we'd save these files and how we could make it easy to reference them. It wouldn't be ideal to pollute the current working directory. We could potentially pass some path variable to point to a temporary directory where they were saved.
|
|
Thanks for the feedback @joshmgross!
I'm thinking it would depend on whether or not the action can load scripts from another repository. For my use cases it wouldn't be permitted due to security concerns. If it cannot, then using the working directory would be no different than using checkout, which seems OK to me. I could also see how loading from a temp directory could open some vulnerabilities if that script or ones it depends on do relative loads itself. If it can, then I agree a temp directory makes sense though my concern of potential exposure within the temp directory applies. |
|
Could you elaborate on how using a temporary directory could lead to vulnerabilities? |
|
Say you have an action prior to github-script doing something like this, maliciously: // pseudo-code
writeFile('$RUNNER_TEMP/localScript.js');
writeFile('$RUNNER_TEMP/localSettings.json');Then in a github-script file which was written to $RUNNER_TEMP: require('./localScript');
callSomeCompromisedMethodFromLocalScript();
// or
const settings = require('./localSettings.json');
doSomethingWithCompromisedSettings(settings);I don't think tool-cache executes tools from the temp directory, does it? If not, I'd think this shouldn't either. |
|
Couldn't that malicious action just as easily write files to the current directory? I think if you have a malicious action executing arbitrary code on your machine then there are worse things that could happen even without |
|
Yes, of course. It was a simplistic example. |
|
On a related note, much like @jeremy-boschen, I would like to strip out snippets of JS code into separate files outside of YAML for ease of legibility. However, I'm struggling to understand how best to achieve something this. Before/Currentscript: |
const { data: list_comments } = await github.rest.issues.listComments({
issue_number: context.issue.number,
owner: context.repo.owner,
per_page: 100,
repo: context.repo.repo,
});
const get_comment = list_comments
.sort((a, b) => b.id - a.id)
.find((comment) => /^keyword/.test(comment.body));
return {
body: get_comment.body,
id: get_comment.id,
};After/Proposedscript: |
require('./comment.js');// File: comment.js
const { data: list_comments } = await github.rest.issues.listComments({
issue_number: context.issue.number,
owner: context.repo.owner,
per_page: 100,
repo: context.repo.repo,
});
const get_comment = list_comments
.sort((a, b) => b.id - a.id)
.find((comment) => /^keyword/.test(comment.body));
return {
body: get_comment.body,
id: get_comment.id,
};With this, I get: "SyntaxError: await is only valid in async functions and the top level bodies of modules." I'm sure I'm missing something obvious with |
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
fileswhich can be retrieved via the github API if not present, before the main script is run.Describe alternatives you've considered
filesinput to reduce retrieved content and use that here.Additional context
I find writing actions and workflows, even using act, to be a painful experience in general. Any additional features of an action that ease the pain somewhat are greatly appreciated. Using multiple actions to simulate something that an action could do on its own works, but it's less than ideal.
The text was updated successfully, but these errors were encountered: