From e4a86b11b5211a1a2955e18e3bfbff2a5c447553 Mon Sep 17 00:00:00 2001 From: Wenxin Zhang Date: Thu, 21 Nov 2024 16:55:14 +0800 Subject: [PATCH 01/15] test check harmful cmd injection Signed-off-by: Wenxin Zhang --- .github/workflows/_example-workflow.yml | 3 ++ .github/workflows/for_test.sh | 3 ++ .github/workflows/pr-code-scan.yml | 3 ++ .../workflows/scripts/check_cmd_injection.sh | 40 +++++++++++++++++++ 4 files changed, 49 insertions(+) create mode 100644 .github/workflows/for_test.sh create mode 100644 .github/workflows/scripts/check_cmd_injection.sh diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index a86ac25929..cc7f83d8ab 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -68,6 +68,9 @@ jobs: with: ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 + + - name: Check Dangerous Command Injection + run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh - name: Clone Required Repo run: | diff --git a/.github/workflows/for_test.sh b/.github/workflows/for_test.sh new file mode 100644 index 0000000000..2682291fe5 --- /dev/null +++ b/.github/workflows/for_test.sh @@ -0,0 +1,3 @@ +echo "this is for test only" +docker images +docker stop diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index e90ebe7e1a..f0e02bab37 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -33,6 +33,9 @@ jobs: steps: - name: Checkout out Repo uses: actions/checkout@v4 + + - name: Check Dangerous Command Injection + run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh - name: Docker Build run: | diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh new file mode 100644 index 0000000000..b194212311 --- /dev/null +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +#export WORKSPACE=${{ github.workspace }} +cd ${WORKSPACE} +[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +# docker control/rm/scp/rsync/git cmd +check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") + +# exclude path +exclude_check_path="${WORKSPACE}/.github/workflows/scripts" + +# get change file lists (exclue delete files) +change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') + +status="success" +for file in ${change_files}; +do + echo "file name is ${file}" + # check file type: shell yaml python + if [[ ! $(echo ${file} | grep -E ".*\.sh") ]] && [[ ! $(echo ${file} | grep -E "*.ya?ml") ]] && [[ ! $(echo ${file} | grep -E ".*\.py") ]]; + then + echo "This file ${file} no need to check, exit" + exit 0 + fi + # get added command + git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file + cat diff_file | while read line; do + echo $line; + for (( i=0; i<${#check_list[@]}; i++)); do + if [[ $line == *"${check_list[$i]}"* ]]; then + echo "Found Dangerous Command: $line in $file, Please Check" + status="failed" + fi; + done; + done +done +[[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +[[ $status == "failed" ]] && exit 1 || exit 0 From 07afbc412f06c827fde0f0732db6f028db095bea Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 09:01:54 +0000 Subject: [PATCH 02/15] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .github/workflows/_example-workflow.yml | 2 +- .github/workflows/for_test.sh | 3 +++ .github/workflows/pr-code-scan.yml | 2 +- .github/workflows/scripts/check_cmd_injection.sh | 12 ++++++------ 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index cc7f83d8ab..250c2ed081 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -68,7 +68,7 @@ jobs: with: ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 - + - name: Check Dangerous Command Injection run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh diff --git a/.github/workflows/for_test.sh b/.github/workflows/for_test.sh index 2682291fe5..40f6c29c5e 100644 --- a/.github/workflows/for_test.sh +++ b/.github/workflows/for_test.sh @@ -1,3 +1,6 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + echo "this is for test only" docker images docker stop diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index f0e02bab37..4db0f6a0fb 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout out Repo uses: actions/checkout@v4 - + - name: Check Dangerous Command Injection run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index b194212311..dad9a54f69 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -11,7 +11,7 @@ check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") # exclude path exclude_check_path="${WORKSPACE}/.github/workflows/scripts" -# get change file lists (exclue delete files) +# get change file lists (exclude delete files) change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') status="success" @@ -26,14 +26,14 @@ do fi # get added command git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file - cat diff_file | while read line; do - echo $line; - for (( i=0; i<${#check_list[@]}; i++)); do + cat diff_file | while read line; do + echo $line; + for (( i=0; i<${#check_list[@]}; i++)); do if [[ $line == *"${check_list[$i]}"* ]]; then echo "Found Dangerous Command: $line in $file, Please Check" status="failed" - fi; - done; + fi; + done; done done [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file From f341776f63aa2c4796d8d5692fd897df15f9e807 Mon Sep 17 00:00:00 2001 From: Wenxin Zhang Date: Fri, 22 Nov 2024 10:00:48 +0800 Subject: [PATCH 03/15] add env var Signed-off-by: Wenxin Zhang --- .github/workflows/_example-workflow.yml | 5 +++- .github/workflows/pr-code-scan.yml | 3 ++- .../workflows/scripts/check_cmd_injection.sh | 24 ++++++++++++------- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index cc7f83d8ab..f79f397535 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -70,7 +70,10 @@ jobs: fetch-depth: 0 - name: Check Dangerous Command Injection - run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh + run: | + export WORKSPACE=${{ github.workspace }} + cd ${{ github.workspace }} + bash -x .github/workflows/scripts/check_cmd_injection.sh - name: Clone Required Repo run: | diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index f0e02bab37..9e9982a3fa 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -22,6 +22,7 @@ env: REPO_TAG: "1.0" DOCKER_FILE_NAME: "code-scan" CONTAINER_NAME: "code-scan" + WORKSPACE: ${{ github.workspace }} jobs: code-scan: @@ -33,7 +34,7 @@ jobs: steps: - name: Checkout out Repo uses: actions/checkout@v4 - + - name: Check Dangerous Command Injection run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index b194212311..855b122e35 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -26,15 +26,21 @@ do fi # get added command git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file - cat diff_file | while read line; do - echo $line; - for (( i=0; i<${#check_list[@]}; i++)); do - if [[ $line == *"${check_list[$i]}"* ]]; then - echo "Found Dangerous Command: $line in $file, Please Check" - status="failed" - fi; - done; - done + #cat diff_file | while read line; do + # echo $line; + # for (( i=0; i<${#check_list[@]}; i++)); do + # if [[ $line == *"${check_list[$i]}"* ]]; then + # echo "Found Dangerous Command: $line in $file, Please Check" + # status="failed" + # fi; + # done; + #done + for (( i=0; i<${#check_list[@]}; i++)); do + if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then + echo "Found Dangerous Command: $line in $file, Please Check" + status="failed" + fi; + done; done [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file [[ $status == "failed" ]] && exit 1 || exit 0 From 415c497c049993a21459e690508b4cd3f30c2ed8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 02:02:53 +0000 Subject: [PATCH 04/15] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .github/workflows/scripts/check_cmd_injection.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index 87f4596d7f..9e4b8d2e1d 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -26,21 +26,21 @@ do fi # get added command git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file - #cat diff_file | while read line; do - # echo $line; - # for (( i=0; i<${#check_list[@]}; i++)); do + #cat diff_file | while read line; do + # echo $line; + # for (( i=0; i<${#check_list[@]}; i++)); do # if [[ $line == *"${check_list[$i]}"* ]]; then # echo "Found Dangerous Command: $line in $file, Please Check" # status="failed" - # fi; - # done; + # fi; + # done; #done - for (( i=0; i<${#check_list[@]}; i++)); do + for (( i=0; i<${#check_list[@]}; i++)); do if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then echo "Found Dangerous Command: $line in $file, Please Check" status="failed" - fi; - done; + fi; + done; done [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file [[ $status == "failed" ]] && exit 1 || exit 0 From 0b9a4c7c2560c5ca294b4b71bcb022463f9a0ea1 Mon Sep 17 00:00:00 2001 From: Wenxin Zhang Date: Fri, 22 Nov 2024 10:19:51 +0800 Subject: [PATCH 05/15] git fetch before diff Signed-off-by: Wenxin Zhang --- .github/workflows/scripts/check_cmd_injection.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index 87f4596d7f..8408d3bc57 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -2,7 +2,7 @@ # Copyright (C) 2024 Intel Corporation # SPDX-License-Identifier: Apache-2.0 -#export WORKSPACE=${{ github.workspace }} +set -e cd ${WORKSPACE} [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file # docker control/rm/scp/rsync/git cmd @@ -12,6 +12,7 @@ check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") exclude_check_path="${WORKSPACE}/.github/workflows/scripts" # get change file lists (exclude delete files) +git fetch origin main change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') status="success" From 7cfe6859fd349aa94ca53d7a83748b2f631d4612 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:41:44 +0800 Subject: [PATCH 06/15] Update pr-code-scan.yml --- .github/workflows/pr-code-scan.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index 9e9982a3fa..ece86dc992 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -36,7 +36,15 @@ jobs: uses: actions/checkout@v4 - name: Check Dangerous Command Injection - run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh + run: | + echo "github ref is ${{ github.ref }}" + echo "github ref name is ${{ github.ref_name }}" + echo "github head ref is ${{ github.head_ref }}" + echo "github base ref is ${{ github.base_ref }}" + git fetch origin main + git branch + git diff FETCH_HEAD --name-status + cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh - name: Docker Build run: | From 639684d5a95cf39f1330e60f332350d112eef3ef Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:44:43 +0800 Subject: [PATCH 07/15] Update pr-code-scan.yml --- .github/workflows/pr-code-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index ece86dc992..90c852b5de 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -41,6 +41,7 @@ jobs: echo "github ref name is ${{ github.ref_name }}" echo "github head ref is ${{ github.head_ref }}" echo "github base ref is ${{ github.base_ref }}" + echo "github merge ref is refs/pull/${{ github.event.number }}/merge" git fetch origin main git branch git diff FETCH_HEAD --name-status From b77f1a59777a9d0ca7c1e737165863c2b3276563 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:47:18 +0800 Subject: [PATCH 08/15] Update check_cmd_injection.sh --- .github/workflows/scripts/check_cmd_injection.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index dc9af7d038..35cf10f441 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -13,7 +13,7 @@ exclude_check_path="${WORKSPACE}/.github/workflows/scripts" # get change file lists (exclude delete files) git fetch origin main -change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') +change_files=$(git diff FETCH_HEAD --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}') status="success" for file in ${change_files}; From 6d5ed6f8b767c4738beec80ef3ac46a827a125d1 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:48:33 +0800 Subject: [PATCH 09/15] Update check_cmd_injection.sh --- .github/workflows/scripts/check_cmd_injection.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index 35cf10f441..e94d548e33 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -26,7 +26,7 @@ do exit 0 fi # get added command - git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file + git diff FETCH_HEAD ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file #cat diff_file | while read line; do # echo $line; # for (( i=0; i<${#check_list[@]}; i++)); do From 5d025b5e684ece1c68b3e0d673b256e618ddaa42 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:49:49 +0800 Subject: [PATCH 10/15] Update pr-code-scan.yml --- .github/workflows/pr-code-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index 90c852b5de..13f5168632 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -42,7 +42,7 @@ jobs: echo "github head ref is ${{ github.head_ref }}" echo "github base ref is ${{ github.base_ref }}" echo "github merge ref is refs/pull/${{ github.event.number }}/merge" - git fetch origin main + git fetch git branch git diff FETCH_HEAD --name-status cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh From 9c79ee0fc061c1ee163f1e4289bb0e85fa8be826 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:53:12 +0800 Subject: [PATCH 11/15] Update pr-code-scan.yml --- .github/workflows/pr-code-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index 13f5168632..90c852b5de 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -42,7 +42,7 @@ jobs: echo "github head ref is ${{ github.head_ref }}" echo "github base ref is ${{ github.base_ref }}" echo "github merge ref is refs/pull/${{ github.event.number }}/merge" - git fetch + git fetch origin main git branch git diff FETCH_HEAD --name-status cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh From e41e3f85ca7ce0d43384b5a357b38c54facb68d5 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 10:54:02 +0800 Subject: [PATCH 12/15] Update check_cmd_injection.sh --- .github/workflows/scripts/check_cmd_injection.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index e94d548e33..199a590153 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -31,14 +31,14 @@ do # echo $line; # for (( i=0; i<${#check_list[@]}; i++)); do # if [[ $line == *"${check_list[$i]}"* ]]; then - # echo "Found Dangerous Command: $line in $file, Please Check" + # echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" # status="failed" # fi; # done; #done for (( i=0; i<${#check_list[@]}; i++)); do if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then - echo "Found Dangerous Command: $line in $file, Please Check" + echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" status="failed" fi; done; From d31601dbd4907662fd34c13de6d3793383a5f7f8 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 11:22:25 +0800 Subject: [PATCH 13/15] Update check_cmd_injection.sh --- .github/workflows/scripts/check_cmd_injection.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index 199a590153..ebc88e010f 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -9,7 +9,7 @@ cd ${WORKSPACE} check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") # exclude path -exclude_check_path="${WORKSPACE}/.github/workflows/scripts" +exclude_check_path=".github/workflows/scripts" # get change file lists (exclude delete files) git fetch origin main From dd0511438f03da6a46132d82ade7099015b77768 Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 11:34:43 +0800 Subject: [PATCH 14/15] Update pr-code-scan.yml --- .github/workflows/pr-code-scan.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml index 90c852b5de..d09897379d 100644 --- a/.github/workflows/pr-code-scan.yml +++ b/.github/workflows/pr-code-scan.yml @@ -36,16 +36,8 @@ jobs: uses: actions/checkout@v4 - name: Check Dangerous Command Injection - run: | - echo "github ref is ${{ github.ref }}" - echo "github ref name is ${{ github.ref_name }}" - echo "github head ref is ${{ github.head_ref }}" - echo "github base ref is ${{ github.base_ref }}" - echo "github merge ref is refs/pull/${{ github.event.number }}/merge" - git fetch origin main - git branch - git diff FETCH_HEAD --name-status - cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + run: cd ${{ github.workspace }} && bash -x .github/workflows/scripts/check_cmd_injection.sh - name: Docker Build run: | From b9327dbb4ff34751d2c81719de501b4c8c65ab6d Mon Sep 17 00:00:00 2001 From: VincyZhang Date: Fri, 22 Nov 2024 11:38:11 +0800 Subject: [PATCH 15/15] Update check_cmd_injection.sh --- .github/workflows/scripts/check_cmd_injection.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scripts/check_cmd_injection.sh b/.github/workflows/scripts/check_cmd_injection.sh index ebc88e010f..435480b73b 100644 --- a/.github/workflows/scripts/check_cmd_injection.sh +++ b/.github/workflows/scripts/check_cmd_injection.sh @@ -5,6 +5,7 @@ set -e cd ${WORKSPACE} [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file +source .github/workflows/scripts/change_color # docker control/rm/scp/rsync/git cmd check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f") @@ -38,7 +39,7 @@ do #done for (( i=0; i<${#check_list[@]}; i++)); do if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then - echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" + $BOLD_RED && echo "Found Dangerous Command: ${check_list[$i]} in $file, Please Check" status="failed" fi; done;