From 7bfa3a4717ef143a604ee0a99d859b8886a96d00 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 4 Apr 2024 17:10:12 +0000 Subject: [PATCH] build(release): 1.9.3 [skip ci] ## [1.9.3](https://github.com/actions/create-github-app-token/compare/v1.9.2...v1.9.3) (2024-04-04) ### Bug Fixes * **deps:** bump undici from 6.10.2 to 6.11.1 ([#125](https://github.com/actions/create-github-app-token/issues/125)) ([3c223c7](https://github.com/actions/create-github-app-token/commit/3c223c7336e276235eb843dd4e6ad42147199cbf)), closes [#3024](https://github.com/actions/create-github-app-token/issues/3024) [nodejs/undici#3044](https://github.com/nodejs/undici/issues/3044) [#3023](https://github.com/actions/create-github-app-token/issues/3023) [nodejs/undici#3025](https://github.com/nodejs/undici/issues/3025) [nodejs/undici#3024](https://github.com/nodejs/undici/issues/3024) [nodejs/undici#3034](https://github.com/nodejs/undici/issues/3034) [nodejs/undici#3038](https://github.com/nodejs/undici/issues/3038) [nodejs/undici#2947](https://github.com/nodejs/undici/issues/2947) [nodejs/undici#3040](https://github.com/nodejs/undici/issues/3040) [nodejs/undici#3036](https://github.com/nodejs/undici/issues/3036) [nodejs/undici#3041](https://github.com/nodejs/undici/issues/3041) [#3024](https://github.com/actions/create-github-app-token/issues/3024) [#3041](https://github.com/actions/create-github-app-token/issues/3041) [#3036](https://github.com/actions/create-github-app-token/issues/3036) --- dist/main.cjs | 134 ++++++++++++++++++++++++++++++++------------------ dist/post.cjs | 134 ++++++++++++++++++++++++++++++++------------------ package.json | 2 +- 3 files changed, 171 insertions(+), 99 deletions(-) diff --git a/dist/main.cjs b/dist/main.cjs index f23fe29..a381c76 100644 --- a/dist/main.cjs +++ b/dist/main.cjs @@ -13168,8 +13168,6 @@ var require_util = __commonJS({ return tree.lookup(value) ?? value.toString("latin1").toLowerCase(); } function parseHeaders(headers, obj) { - if (!Array.isArray(headers)) - return headers; if (obj === void 0) obj = {}; for (let i = 0; i < headers.length; i += 2) { @@ -14962,9 +14960,9 @@ var require_data_url = __commonJS({ var assert = require("node:assert"); var encoder = new TextEncoder(); var HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/; - var HTTP_WHITESPACE_REGEX = /[\u000A|\u000D|\u0009|\u0020]/; + var HTTP_WHITESPACE_REGEX = /[\u000A\u000D\u0009\u0020]/; var ASCII_WHITESPACE_REPLACE_REGEX = /[\u0009\u000A\u000C\u000D\u0020]/g; - var HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/; + var HTTP_QUOTED_STRING_TOKENS = /[\u0009\u0020-\u007E\u0080-\u00FF]/; function dataURLProcessor(dataURL) { assert(dataURL.protocol === "data:"); let input = URLSerializer(dataURL, true); @@ -15726,9 +15724,12 @@ var require_util2 = __commonJS({ var assert = require("node:assert"); var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); + var supportedHashes = []; var crypto4; try { crypto4 = require("node:crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -16009,45 +16010,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /(?sha256|sha384|sha512)-(?[A-Za-z0-9+/]+={0,2}(?=\s|$))( +[!-~]*)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -16056,6 +16049,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request2) { } function sameOrigin(A, B) { @@ -18499,6 +18537,14 @@ var require_client_h2 = __commonJS({ HTTP2_HEADER_STATUS } } = http2; + function parseH2Headers(headers) { + headers = Object.entries(headers).flat(2); + const result = []; + for (const header of headers) { + result.push(Buffer.from(header)); + } + return result; + } async function connectH2(client, socket) { client[kSocket] = socket; if (!h2ExperimentalWarned) { @@ -18734,7 +18780,13 @@ var require_client_h2 = __commonJS({ stream.once("response", (headers2) => { const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers2; request2.onResponseStarted(); - if (request2.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), "") === false) { + if (request2.aborted || request2.completed) { + const err = new RequestAbortedError(); + errorRequest(client, request2, err); + util.destroy(stream, err); + return; + } + if (request2.onHeaders(Number(statusCode), parseH2Headers(realHeaders), stream.resume.bind(stream), "") === false) { stream.pause(); } stream.on("data", (chunk) => { @@ -19054,9 +19106,9 @@ var require_redirect_handler = __commonJS({ if (removeContent && util.headerNameToString(header).startsWith("content-")) { return true; } - if (unknownOrigin && (header.length === 13 || header.length === 6)) { + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { const name = util.headerNameToString(header); - return name === "authorization" || name === "cookie"; + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; } return false; } @@ -22379,6 +22431,8 @@ var require_pending_interceptors_formatter = __commonJS({ "use strict"; var { Transform } = require("node:stream"); var { Console } = require("node:console"); + var PERSISTENT = process.versions.icu ? "\u2705" : "Y "; + var NOT_PERSISTENT = process.versions.icu ? "\u274C" : "N "; module2.exports = class PendingInterceptorsFormatter { constructor({ disableColors } = {}) { this.transform = new Transform({ @@ -22400,7 +22454,7 @@ var require_pending_interceptors_formatter = __commonJS({ Origin: origin, Path: path, "Status code": statusCode, - Persistent: persist ? "\u2705" : "\u274C", + Persistent: persist ? PERSISTENT : NOT_PERSISTENT, Invocations: timesInvoked, Remaining: persist ? Infinity : times - timesInvoked }) @@ -22670,7 +22724,7 @@ var require_headers = __commonJS({ } = require_util2(); var { webidl } = require_webidl(); var assert = require("node:assert"); - var util = require("util"); + var util = require("node:util"); var kHeadersMap = Symbol("headers map"); var kHeadersSortedMap = Symbol("headers map sorted"); function isHTTPWhiteSpaceCharCode(code) { @@ -25161,24 +25215,6 @@ var require_fetch = __commonJS({ codings = contentEncoding.toLowerCase().split(",").map((x) => x.trim()); } location = headersList.get("location", true); - } else { - const keys = Object.keys(rawHeaders); - for (let i = 0; i < keys.length; ++i) { - const key = keys[i]; - const value = rawHeaders[key]; - if (key === "set-cookie") { - for (let j = 0; j < value.length; ++j) { - headersList.append(key, value[j], true); - } - } else { - headersList.append(key, value, true); - } - } - const contentEncoding = rawHeaders["content-encoding"]; - if (contentEncoding) { - codings = contentEncoding.toLowerCase().split(",").map((x) => x.trim()).reverse(); - } - location = rawHeaders.location; } this.body = new Readable({ read: resume }); const decoders = []; diff --git a/dist/post.cjs b/dist/post.cjs index e57ecdd..823b1df 100644 --- a/dist/post.cjs +++ b/dist/post.cjs @@ -2928,8 +2928,6 @@ var require_util = __commonJS({ return tree.lookup(value) ?? value.toString("latin1").toLowerCase(); } function parseHeaders(headers, obj) { - if (!Array.isArray(headers)) - return headers; if (obj === void 0) obj = {}; for (let i = 0; i < headers.length; i += 2) { @@ -4722,9 +4720,9 @@ var require_data_url = __commonJS({ var assert = require("node:assert"); var encoder = new TextEncoder(); var HTTP_TOKEN_CODEPOINTS = /^[!#$%&'*+-.^_|~A-Za-z0-9]+$/; - var HTTP_WHITESPACE_REGEX = /[\u000A|\u000D|\u0009|\u0020]/; + var HTTP_WHITESPACE_REGEX = /[\u000A\u000D\u0009\u0020]/; var ASCII_WHITESPACE_REPLACE_REGEX = /[\u0009\u000A\u000C\u000D\u0020]/g; - var HTTP_QUOTED_STRING_TOKENS = /[\u0009|\u0020-\u007E|\u0080-\u00FF]/; + var HTTP_QUOTED_STRING_TOKENS = /[\u0009\u0020-\u007E\u0080-\u00FF]/; function dataURLProcessor(dataURL) { assert(dataURL.protocol === "data:"); let input = URLSerializer(dataURL, true); @@ -5486,9 +5484,12 @@ var require_util2 = __commonJS({ var assert = require("node:assert"); var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); + var supportedHashes = []; var crypto4; try { crypto4 = require("node:crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -5769,45 +5770,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /(?sha256|sha384|sha512)-(?[A-Za-z0-9+/]+={0,2}(?=\s|$))( +[!-~]*)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -5816,6 +5809,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request2) { } function sameOrigin(A, B) { @@ -8259,6 +8297,14 @@ var require_client_h2 = __commonJS({ HTTP2_HEADER_STATUS } } = http2; + function parseH2Headers(headers) { + headers = Object.entries(headers).flat(2); + const result = []; + for (const header of headers) { + result.push(Buffer.from(header)); + } + return result; + } async function connectH2(client, socket) { client[kSocket] = socket; if (!h2ExperimentalWarned) { @@ -8494,7 +8540,13 @@ var require_client_h2 = __commonJS({ stream.once("response", (headers2) => { const { [HTTP2_HEADER_STATUS]: statusCode, ...realHeaders } = headers2; request2.onResponseStarted(); - if (request2.onHeaders(Number(statusCode), realHeaders, stream.resume.bind(stream), "") === false) { + if (request2.aborted || request2.completed) { + const err = new RequestAbortedError(); + errorRequest(client, request2, err); + util.destroy(stream, err); + return; + } + if (request2.onHeaders(Number(statusCode), parseH2Headers(realHeaders), stream.resume.bind(stream), "") === false) { stream.pause(); } stream.on("data", (chunk) => { @@ -8814,9 +8866,9 @@ var require_redirect_handler = __commonJS({ if (removeContent && util.headerNameToString(header).startsWith("content-")) { return true; } - if (unknownOrigin && (header.length === 13 || header.length === 6)) { + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { const name = util.headerNameToString(header); - return name === "authorization" || name === "cookie"; + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; } return false; } @@ -12139,6 +12191,8 @@ var require_pending_interceptors_formatter = __commonJS({ "use strict"; var { Transform } = require("node:stream"); var { Console } = require("node:console"); + var PERSISTENT = process.versions.icu ? "\u2705" : "Y "; + var NOT_PERSISTENT = process.versions.icu ? "\u274C" : "N "; module2.exports = class PendingInterceptorsFormatter { constructor({ disableColors } = {}) { this.transform = new Transform({ @@ -12160,7 +12214,7 @@ var require_pending_interceptors_formatter = __commonJS({ Origin: origin, Path: path, "Status code": statusCode, - Persistent: persist ? "\u2705" : "\u274C", + Persistent: persist ? PERSISTENT : NOT_PERSISTENT, Invocations: timesInvoked, Remaining: persist ? Infinity : times - timesInvoked }) @@ -12430,7 +12484,7 @@ var require_headers = __commonJS({ } = require_util2(); var { webidl } = require_webidl(); var assert = require("node:assert"); - var util = require("util"); + var util = require("node:util"); var kHeadersMap = Symbol("headers map"); var kHeadersSortedMap = Symbol("headers map sorted"); function isHTTPWhiteSpaceCharCode(code) { @@ -14921,24 +14975,6 @@ var require_fetch = __commonJS({ codings = contentEncoding.toLowerCase().split(",").map((x) => x.trim()); } location = headersList.get("location", true); - } else { - const keys = Object.keys(rawHeaders); - for (let i = 0; i < keys.length; ++i) { - const key = keys[i]; - const value = rawHeaders[key]; - if (key === "set-cookie") { - for (let j = 0; j < value.length; ++j) { - headersList.append(key, value[j], true); - } - } else { - headersList.append(key, value, true); - } - } - const contentEncoding = rawHeaders["content-encoding"]; - if (contentEncoding) { - codings = contentEncoding.toLowerCase().split(",").map((x) => x.trim()).reverse(); - } - location = rawHeaders.location; } this.body = new Readable({ read: resume }); const decoders = []; diff --git a/package.json b/package.json index c1a9731..3055f0b 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "create-github-app-token", "private": true, "type": "module", - "version": "1.9.2", + "version": "1.9.3", "description": "GitHub Action for creating a GitHub App Installation Access Token", "scripts": { "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",