Vulnerabilities nyob rau hauv GitHub Actions handlers, uas tau txais kev thov thaum xa cov lus thov rub mus rau Nixpkgs pob repository, siv nyob rau hauv NixOS faib thiab Nix pob tus thawj tswj ecosystem, tau tshaj tawm. Qhov tsis txaus ntseeg tau tso cai rau tus neeg siv tsis tau tso cai los rho tawm cov cim tso cai nyeem thiab sau nkag mus rau qhov chaws ntawm txhua pob khoom tuav hauv Nixpkgs. Qhov token no tau tso cai hloov pauv ncaj qha ntawm txhua pob los ntawm qhov project Git repository, hla kev tshuaj xyuas thiab kev pom zoo.
Lub peev xwm los cuam tshuam Nixpkgs thiab txhaj cov cai cai rau hauv ib lub pob tau pom los ntawm cov kws tshawb fawb txog kev ruaj ntseg thaum Lub Kaum Hli kawg ntawm NixCon lub rooj sib tham thiab tau patched tam sim ntawd hauv qhov project infrastructure. Txawm li cas los xij, cov ntsiab lus ntawm qhov kev tawm tsam tsuas yog nthuav tawm ib xyoos tom qab. Qhov teeb meem muaj feem xyuam rau kev siv GitHub Actions handlers nyob rau hauv Nixpkgs GitHub repository, uas yog khi rau qhov "pull_request_target" kev tshwm sim thiab ua automated checks raws li tshiab rub thov.
Tsis zoo li qhov kev tshwm sim "pull_request", cov neeg ua haujlwm hauv "pull_request_target" tau tso cai nyeem / sau nkag mus rau qhov chaw tsim, uas yuav tsum tau saib xyuas tshwj xeeb thaum ua haujlwm nrog cov ntaub ntawv dhau los hauv kev thov rub. Ib qho ntawm cov neeg ua haujlwm khi rau "pull_request_target" validated "OWNERS" cov ntaub ntawv muab rau hauv qhov kev thov rub los ntawm lub tsev thiab hu rau codeowners-validator utility: cov kauj ruam: - siv: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf nrog: ref: refs — / build / pullci / $ / -A codeownersValidator - khiav: result/bin/codeowners-validator env: OWNERS_FILE: pr/ci/OWNERS
Qhov teeb meem yog tias yog tias OWNERS cov ntaub ntawv raug formatted tsis raug, lub codeowners-validator utility yuav tso tawm cov ntsiab lus ntawm txoj hlua tsis raug cai rau tus qauv, tuaj yeem siv tau rau pej xeem. Qhov kev tawm tsam yog muab cov cim txuas npe hu ua OWNERS hauv qhov kev thov rub, taw rau cov ntaub ntawv ".credentials", uas khaws cov ntaub ntawv pov thawj hauv thaj chaw tsim. Yog li ntawd, kev ua tiav cov ntaub ntawv no ua rau muaj kev ua yuam kev thiab thawj kab, uas muaj cov chaw khaws cia nkag token, tau tso tawm rau pej xeem lub cav.
Tsis tas li ntawd, lwm qhov tsis txaus ntseeg tau pom nyob rau hauv tus neeg tuav haujlwm uas kuaj xyuas cov cai tswjfwm. cov kauj ruam: — lub npe: Tau txais cov npe ntawm cov ntaub ntawv hloov pauv los ntawm PR khiav: gh api […] | jq [ … ] > «$HOME/changed_files» — siv: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: ref: refs/pull/$/merge — lub npe: Kos EditorConfig khiav: miv «$HOME/changed_file xargs -r editorconfig-checker
Hauv qhov no, qhov teeb meem yog kev siv "xargs" kev siv hluav taws xob los khiav editorconfig-checker nrog txhua cov ntaub ntawv hauv kev thov rub. Txij li cov npe filenames tsis raug lees paub, tus neeg tawm tsam tuaj yeem suav nrog cov ntaub ntawv uas muaj cov cim tshwj xeeb hauv qhov kev thov rub, uas yuav ua tiav raws li cov lus hais sib cav thaum khiav editorconfig-checker. Piv txwv li, thaum tsim cov ntaub ntawv "--pab", editorconfig-checker yuav tso saib cov lus qhia txog cov kev xaiv muaj.
Tau qhov twg los: opennet.ru
