From 407967160e5fa76243cf83beac74ddc6b394a05a Mon Sep 17 00:00:00 2001 From: Archish Thakkar Date: Wed, 14 Oct 2020 14:10:26 +0530 Subject: [PATCH 1/5] Updated @actions/core security vulnerability fixes --- setup-env/package-lock.json | 6 +- setup-env/package.json | 2 +- setup-local/dist/index.js | 103 +++++++++++++++++++++++++++------- setup-local/package-lock.json | 6 +- setup-local/package.json | 2 +- 5 files changed, 92 insertions(+), 27 deletions(-) diff --git a/setup-env/package-lock.json b/setup-env/package-lock.json index 675a18e..112eabc 100644 --- a/setup-env/package-lock.json +++ b/setup-env/package-lock.json @@ -5,9 +5,9 @@ "requires": true, "dependencies": { "@actions/core": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.4.tgz", - "integrity": "sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg==" + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" }, "@actions/github": { "version": "4.0.0", diff --git a/setup-env/package.json b/setup-env/package.json index 12d068f..17a4ddb 100644 --- a/setup-env/package.json +++ b/setup-env/package.json @@ -25,7 +25,7 @@ "author": "", "license": "MIT", "dependencies": { - "@actions/core": "^1.2.4", + "@actions/core": "^1.2.6", "@actions/github": "^4.0.0" }, "devDependencies": { diff --git a/setup-local/dist/index.js b/setup-local/dist/index.js index 19a2e87..0fd2ad3 100644 --- a/setup-local/dist/index.js +++ b/setup-local/dist/index.js @@ -1616,6 +1616,32 @@ exports.default = _default; /***/ }), +/***/ 82: +/***/ (function(__unusedmodule, exports) { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", { value: true }); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +//# sourceMappingURL=utils.js.map + +/***/ }), + /***/ 87: /***/ (function(module) { @@ -2551,6 +2577,42 @@ function regExpEscape (s) { } +/***/ }), + +/***/ 102: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +// For internal use, subject to change. +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__webpack_require__(747)); +const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); +function issueCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueCommand = issueCommand; +//# sourceMappingURL=file-command.js.map + /***/ }), /***/ 109: @@ -8840,6 +8902,7 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); /** * Commands * @@ -8893,28 +8956,14 @@ class Command { return cmdStr; } } -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; function escapeData(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A'); } function escapeProperty(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') @@ -10941,6 +10990,8 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); +const file_command_1 = __webpack_require__(102); +const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); /** @@ -10967,9 +11018,17 @@ var ExitCode; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - const convertedVal = command_1.toCommandValue(val); + const convertedVal = utils_1.toCommandValue(val); process.env[name] = convertedVal; - command_1.issueCommand('set-env', { name }, convertedVal); + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + const delimiter = '_GitHubActionsFileCommandDelimeter_'; + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); + } } exports.exportVariable = exportVariable; /** @@ -10985,7 +11044,13 @@ exports.setSecret = setSecret; * @param inputPath */ function addPath(inputPath) { - command_1.issueCommand('add-path', {}, inputPath); + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; } exports.addPath = addPath; diff --git a/setup-local/package-lock.json b/setup-local/package-lock.json index 8df0001..ad1ab1c 100644 --- a/setup-local/package-lock.json +++ b/setup-local/package-lock.json @@ -17,9 +17,9 @@ } }, "@actions/core": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.4.tgz", - "integrity": "sha512-YJCEq8BE3CdN8+7HPZ/4DxJjk/OkZV2FFIf+DlZTC/4iBlzYCD5yjRR6eiOS5llO11zbRltIRuKAjMKaWTE6cg==" + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz", + "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA==" }, "@actions/exec": { "version": "1.0.4", diff --git a/setup-local/package.json b/setup-local/package.json index e905b08..2bdf39e 100644 --- a/setup-local/package.json +++ b/setup-local/package.json @@ -27,7 +27,7 @@ "license": "MIT", "dependencies": { "@actions/artifact": "^0.3.5", - "@actions/core": "^1.2.4", + "@actions/core": "^1.2.6", "@actions/exec": "^1.0.4", "@actions/github": "^4.0.0", "@actions/io": "^1.0.2", From d465bf7a5e88d81dec4b64d05d7be5996e1b334a Mon Sep 17 00:00:00 2001 From: Archish Thakkar Date: Wed, 14 Oct 2020 15:20:21 +0530 Subject: [PATCH 2/5] Built setup-env & added changes for dist/index.js --- setup-env/dist/index.js | 103 ++++++++++++++++++++++++++++++++-------- 1 file changed, 84 insertions(+), 19 deletions(-) diff --git a/setup-env/dist/index.js b/setup-env/dist/index.js index 4efce52..d86ac53 100644 --- a/setup-env/dist/index.js +++ b/setup-env/dist/index.js @@ -151,6 +151,32 @@ function onceStrict (fn) { } +/***/ }), + +/***/ 82: +/***/ (function(__unusedmodule, exports) { + +"use strict"; + +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +Object.defineProperty(exports, "__esModule", { value: true }); +/** + * Sanitizes an input into a string so it can be passed into issueCommand safely + * @param input input to sanitize into a string + */ +function toCommandValue(input) { + if (input === null || input === undefined) { + return ''; + } + else if (typeof input === 'string' || input instanceof String) { + return input; + } + return JSON.stringify(input); +} +exports.toCommandValue = toCommandValue; +//# sourceMappingURL=utils.js.map + /***/ }), /***/ 87: @@ -160,6 +186,42 @@ module.exports = require("os"); /***/ }), +/***/ 102: +/***/ (function(__unusedmodule, exports, __webpack_require__) { + +"use strict"; + +// For internal use, subject to change. +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +// We use any as a valid input type +/* eslint-disable @typescript-eslint/no-explicit-any */ +const fs = __importStar(__webpack_require__(747)); +const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); +function issueCommand(command, message) { + const filePath = process.env[`GITHUB_${command}`]; + if (!filePath) { + throw new Error(`Unable to find environment variable for file command ${command}`); + } + if (!fs.existsSync(filePath)) { + throw new Error(`Missing file at path: ${filePath}`); + } + fs.appendFileSync(filePath, `${utils_1.toCommandValue(message)}${os.EOL}`, { + encoding: 'utf8' + }); +} +exports.issueCommand = issueCommand; +//# sourceMappingURL=file-command.js.map + +/***/ }), + /***/ 127: /***/ (function(__unusedmodule, exports, __webpack_require__) { @@ -1261,6 +1323,7 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const os = __importStar(__webpack_require__(87)); +const utils_1 = __webpack_require__(82); /** * Commands * @@ -1314,28 +1377,14 @@ class Command { return cmdStr; } } -/** - * Sanitizes an input into a string so it can be passed into issueCommand safely - * @param input input to sanitize into a string - */ -function toCommandValue(input) { - if (input === null || input === undefined) { - return ''; - } - else if (typeof input === 'string' || input instanceof String) { - return input; - } - return JSON.stringify(input); -} -exports.toCommandValue = toCommandValue; function escapeData(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A'); } function escapeProperty(s) { - return toCommandValue(s) + return utils_1.toCommandValue(s) .replace(/%/g, '%25') .replace(/\r/g, '%0D') .replace(/\n/g, '%0A') @@ -3309,6 +3358,8 @@ var __importStar = (this && this.__importStar) || function (mod) { }; Object.defineProperty(exports, "__esModule", { value: true }); const command_1 = __webpack_require__(431); +const file_command_1 = __webpack_require__(102); +const utils_1 = __webpack_require__(82); const os = __importStar(__webpack_require__(87)); const path = __importStar(__webpack_require__(622)); /** @@ -3335,9 +3386,17 @@ var ExitCode; */ // eslint-disable-next-line @typescript-eslint/no-explicit-any function exportVariable(name, val) { - const convertedVal = command_1.toCommandValue(val); + const convertedVal = utils_1.toCommandValue(val); process.env[name] = convertedVal; - command_1.issueCommand('set-env', { name }, convertedVal); + const filePath = process.env['GITHUB_ENV'] || ''; + if (filePath) { + const delimiter = '_GitHubActionsFileCommandDelimeter_'; + const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`; + file_command_1.issueCommand('ENV', commandValue); + } + else { + command_1.issueCommand('set-env', { name }, convertedVal); + } } exports.exportVariable = exportVariable; /** @@ -3353,7 +3412,13 @@ exports.setSecret = setSecret; * @param inputPath */ function addPath(inputPath) { - command_1.issueCommand('add-path', {}, inputPath); + const filePath = process.env['GITHUB_PATH'] || ''; + if (filePath) { + file_command_1.issueCommand('PATH', inputPath); + } + else { + command_1.issueCommand('add-path', {}, inputPath); + } process.env['PATH'] = `${inputPath}${path.delimiter}${process.env['PATH']}`; } exports.addPath = addPath; From ff7d5cb0fbfe65c7682600a38e8f3fd73e833581 Mon Sep 17 00:00:00 2001 From: Archish Thakkar Date: Wed, 14 Oct 2020 15:49:13 +0530 Subject: [PATCH 3/5] Bumped github action version --- setup-env/package-lock.json | 2 +- setup-env/package.json | 2 +- setup-local/package-lock.json | 2 +- setup-local/package.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env/package-lock.json b/setup-env/package-lock.json index 112eabc..5e92ddf 100644 --- a/setup-env/package-lock.json +++ b/setup-env/package-lock.json @@ -1,6 +1,6 @@ { "name": "setup-env", - "version": "1.0.0", + "version": "1.1.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/setup-env/package.json b/setup-env/package.json index 17a4ddb..202505f 100644 --- a/setup-env/package.json +++ b/setup-env/package.json @@ -1,6 +1,6 @@ { "name": "setup-env", - "version": "1.0.0", + "version": "1.1.0", "description": "Setup BrowserStack Test Environment", "main": "src/index.js", "scripts": { diff --git a/setup-local/package-lock.json b/setup-local/package-lock.json index ad1ab1c..9206c74 100644 --- a/setup-local/package-lock.json +++ b/setup-local/package-lock.json @@ -1,6 +1,6 @@ { "name": "setup-local", - "version": "1.0.0", + "version": "1.1.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/setup-local/package.json b/setup-local/package.json index 2bdf39e..f8d7f92 100644 --- a/setup-local/package.json +++ b/setup-local/package.json @@ -1,6 +1,6 @@ { "name": "setup-local", - "version": "1.0.0", + "version": "1.1.0", "description": "Setup BrowserStack Local Binary", "main": "src/index.js", "scripts": { From b7e409149f3e66f68c289cea72c3b9b24e40e599 Mon Sep 17 00:00:00 2001 From: Archish Thakkar Date: Wed, 14 Oct 2020 19:04:30 +0530 Subject: [PATCH 4/5] Bumped github action version to 1.0.1 --- setup-env/package-lock.json | 2 +- setup-env/package.json | 2 +- setup-local/package-lock.json | 2 +- setup-local/package.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env/package-lock.json b/setup-env/package-lock.json index 5e92ddf..6e568fa 100644 --- a/setup-env/package-lock.json +++ b/setup-env/package-lock.json @@ -1,6 +1,6 @@ { "name": "setup-env", - "version": "1.1.0", + "version": "1.0.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/setup-env/package.json b/setup-env/package.json index 202505f..4f7abf7 100644 --- a/setup-env/package.json +++ b/setup-env/package.json @@ -1,6 +1,6 @@ { "name": "setup-env", - "version": "1.1.0", + "version": "1.0.1", "description": "Setup BrowserStack Test Environment", "main": "src/index.js", "scripts": { diff --git a/setup-local/package-lock.json b/setup-local/package-lock.json index 9206c74..ddc8bd0 100644 --- a/setup-local/package-lock.json +++ b/setup-local/package-lock.json @@ -1,6 +1,6 @@ { "name": "setup-local", - "version": "1.1.0", + "version": "1.0.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/setup-local/package.json b/setup-local/package.json index f8d7f92..4199092 100644 --- a/setup-local/package.json +++ b/setup-local/package.json @@ -1,6 +1,6 @@ { "name": "setup-local", - "version": "1.1.0", + "version": "1.0.1", "description": "Setup BrowserStack Local Binary", "main": "src/index.js", "scripts": { From dfbfda10aa8ab7eb5d394fe50abb40ca477c2799 Mon Sep 17 00:00:00 2001 From: Archish Thakkar Date: Wed, 14 Oct 2020 19:21:51 +0530 Subject: [PATCH 5/5] Updated log for local tunnel status --- setup-local/dist/index.js | 2 +- setup-local/src/binaryControl.js | 2 +- setup-local/test/binaryControl.test.js | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-local/dist/index.js b/setup-local/dist/index.js index 0fd2ad3..7676e39 100644 --- a/setup-local/dist/index.js +++ b/setup-local/dist/index.js @@ -1275,7 +1275,7 @@ class BinaryControl { if (!error) { const outputParsed = JSON.parse(output); if (outputParsed.state === LOCAL_BINARY_TRIGGER.START.CONNECTED) { - core.info(`Local tunnel status: ${outputParsed.message}`); + core.info(`Local tunnel status: ${JSON.stringify(outputParsed.message)}`); return; } diff --git a/setup-local/src/binaryControl.js b/setup-local/src/binaryControl.js index f47dde2..1be9329 100644 --- a/setup-local/src/binaryControl.js +++ b/setup-local/src/binaryControl.js @@ -210,7 +210,7 @@ class BinaryControl { if (!error) { const outputParsed = JSON.parse(output); if (outputParsed.state === LOCAL_BINARY_TRIGGER.START.CONNECTED) { - core.info(`Local tunnel status: ${outputParsed.message}`); + core.info(`Local tunnel status: ${JSON.stringify(outputParsed.message)}`); return; } diff --git a/setup-local/test/binaryControl.test.js b/setup-local/test/binaryControl.test.js index dcd8068..864b8ee 100644 --- a/setup-local/test/binaryControl.test.js +++ b/setup-local/test/binaryControl.test.js @@ -473,7 +473,7 @@ describe('Binary Control Operations', () => { await binaryControl.startBinary(); sinon.assert.calledWith(binaryControl._triggerBinary, LOCAL_TESTING.START); sinon.assert.calledWith(core.info, 'Starting local tunnel with local-identifier=someIdentifier in daemon mode...'); - sinon.assert.calledWith(core.info, 'Local tunnel status: some message'); + sinon.assert.calledWith(core.info, 'Local tunnel status: "some message"'); }); it("Starts the local tunnel successfully (without local identifier) and gets connected if the response state is 'connected'", async () => { @@ -491,7 +491,7 @@ describe('Binary Control Operations', () => { sinon.stub(binaryControl, '_triggerBinary').returns(response); await binaryControl.startBinary(); sinon.assert.calledWith(core.info, 'Starting local tunnel in daemon mode...'); - sinon.assert.calledWith(core.info, 'Local tunnel status: some message'); + sinon.assert.calledWith(core.info, 'Local tunnel status: "some message"'); }); it("Fails and doesn't connect the local tunnel if the response state is 'disconnected' after each available tries", async () => {