diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index a86ac25929..e73086ad6a 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -69,6 +69,12 @@ jobs: ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 + - name: Check Dangerous Command Injection + run: | + export WORKSPACE=${{ github.workspace }} + cd ${{ github.workspace }} + bash -x .github/workflows/scripts/check_cmd_injection.sh + - name: Clone Required Repo run: | cd ${{ github.workspace }}/${{ inputs.example }}/docker_image_build diff --git a/.github/workflows/for_test.sh b/.github/workflows/for_test.sh new file mode 100644 index 0000000000..40f6c29c5e --- /dev/null +++ b/.github/workflows/for_test.sh @@ -0,0 +1,6 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +echo "this is for test only" +docker images +docker stop diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index e90ebe7e1a..d09897379d 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -22,6 +22,7 @@ env: REPO_TAG: "1.0" DOCKER_FILE_NAME: "code-scan" CONTAINER_NAME: "code-scan" + WORKSPACE: ${{ github.workspace }} jobs: code-scan: @@ -34,6 +35,10 @@ jobs: - name: Checkout out Repo uses: actions/checkout@v4 + - name: Check Dangerous Command Injection + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh + - name: Docker Build run: | docker build -f ${{ github.workspace }}/.github/workflows/docker/${{ env.DOCKER_FILE_NAME }}.dockerfile -t ${{ env.REPO_NAME }}:${{ env.REPO_TAG }} . diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh new file mode 100644 index 0000000000..435480b73b --- /dev/null +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +set -e +cd ${WORKSPACE} +[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +source .github/workflows/scripts/change_color +# docker control/rm/scp/rsync/git cmd +check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") + +# exclude path +exclude_check_path=".github/workflows/scripts" + +# get change file lists (exclude delete files) +git fetch origin main +change_files=$(git diff FETCH_HEAD --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') + +status="success" +for file in ${change_files}; +do + echo "file name is ${file}" + # check file type: shell yaml python + if [[ ! $(echo ${file} | grep -E ".*\.sh") ]] && [[ ! $(echo ${file} | grep -E "*.ya?ml") ]] && [[ ! $(echo ${file} | grep -E ".*\.py") ]]; + then + echo "This file ${file} no need to check, exit" + exit 0 + fi + # get added command + git diff FETCH_HEAD ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file + #cat diff_file | while read line; do + # echo $line; + # for (( i=0; i<${#check_list[@]}; i++)); do + # if [[ $line == *"${check_list[$i]}"* ]]; then + # echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" + # status="failed" + # fi; + # done; + #done + for (( i=0; i<${#check_list[@]}; i++)); do + if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then + $BOLD_RED && echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" + status="failed" + fi; + done; +done +[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +[[ $status == "failed" ]] && exit 1 || exit 0