-
-
Notifications
You must be signed in to change notification settings - Fork 26
137 lines (114 loc) · 4.46 KB
/
unicode_warn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
################################################################################
# File: .github/workflows/unicode_warn.yml
# Version: 0.6
# Purpose: Detects Unicode in PRs and comments the results of findings in PR
# Authors: Michael Altfield <michael@michaelaltfield.net>
# Created: 2021-11-20
# Updated: 2024-08-08
################################################################################
# in main branch
name: malicious_sanity_checks
# execute this workflow automatically on all PRs
on:
pull_request_target:
types: [opened, edited, synchronize, reopened, unlocked]
jobs:
unicode_warn:
runs-on: ubuntu-latest
container: debian:bullseye-slim
permissions:
issues: write
pull-requests: write
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Prereqs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
apt-get update
apt-get install -y git bsdmainutils curl jq
git clone "https://token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" .
shell: bash
- name: Get link to this run
run: |
# https://stackoverflow.com/a/75734917
workflow_id=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}/jobs | jq .jobs[].id )
RUN_URL=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${workflow_id}
echo "RUN_URL=${RUN_URL}" >> $GITHUB_ENV
shell: bash
- name: Check diff for unicode
continue-on-error: true
id: unicode_diff
run: |
set -x
git config --global --add safe.directory .
git config --global --add safe.directory "$(pwd)"
git branch -a
git log
git fetch origin refs/pull/${{ github.event.number }}/head:this_pr
git checkout this_pr
git branch -a
git log
diff=`git diff --unified=0 ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | grep -E "^[+]" | grep -Ev '^(--- a/|\+\+\+ b/)'`
if [ $? -ne 0 ]; then
# there was an error in the diff
human_result="WARNING: git diff failed!"
echo "UNICODE_HUMAN_RESULT=${human_result}" >> $GITHUB_ENV
echo "${human_result}"
exit 1
fi
unicode_diff=`echo -n "${diff}" | grep -oP "[^\x00-\x7F]*"`
unicode_grep_exit_code=$?
echo "${unicode_diff}"
unicode_diff_hexdump=`echo -n "${unicode_diff}" | hd`
if [ $? -ne 0 ]; then
# there was an error in the hexdump
human_result="WARNING: hexdump failed!"
echo "UNICODE_HUMAN_RESULT=${human_result}" >> $GITHUB_ENV
echo "${human_result}"
exit 1
fi
echo "${unicode_diff_hexdump}"
# did we select any unicode characters?
if [[ "${unicode_diff_hexdump}" == "" ]]; then
# we didn't find any unicode characters
human_result="INFO: No unicode characters found in PR's commits"
echo "${human_result}"
else
# we found at least 1 unicode character
human_result="^^ WARNING: Unicode characters found in diff!"
echo "${human_result}"
echo "${diff}"
fi
echo "UNICODE_HUMAN_RESULT=${human_result}" >> $GITHUB_ENV
shell: bash {0}
# leave a comment on the PR. See also
# * https://stackoverflow.com/a/64126737
# make sure this doesn't open command injection risks
# * https://github.com/victoriadrake/github-guestbook/issues/1#issuecomment-657121754
- name: Leave comment on PR
uses: actions/github-script@v5
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: "${{ env.UNICODE_HUMAN_RESULT }}\n\n([source](${{ env.RUN_URL }}))"
})
# Exit with or without error
- name: Exit with or without error
run: |
if [[ $(echo "${{ env.UNICODE_HUMAN_RESULT }}" | grep -Ei "ERROR|WARNING") ]]; then
exit 1
else
exit 0
shell: bash {0}