Skip to content

Commit

Permalink
Escape category names
Browse files Browse the repository at this point in the history
Ensure category names are sanitized before converting them to an
environment variable.
  • Loading branch information
aeisenberg committed Nov 4, 2021
1 parent 730dae8 commit 4764f83
Show file tree
Hide file tree
Showing 9 changed files with 41 additions and 7 deletions.
1 change: 1 addition & 0 deletions lib/actions-util.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/actions-util.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lib/upload-lib.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/upload-lib.js.map

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions lib/upload-lib.test.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/upload-lib.test.js.map

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions src/actions-util.ts
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
core.info(
`Failed to call git to get current commit. Continuing with data from environment: ${e}`
);
core.info((e as Error).stack || "NO STACK");
return getRequiredEnvParam("GITHUB_SHA");
}
};
Expand Down
10 changes: 10 additions & 0 deletions src/upload-lib.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -185,4 +185,14 @@ test("validateUniqueCategory", (t) => {

t.notThrows(() => uploadLib.validateUniqueCategory("def"));
t.throws(() => uploadLib.validateUniqueCategory("def"));

// Our category sanitization is not perfect. Here are some examples
// of where we see false clashes
t.notThrows(() => uploadLib.validateUniqueCategory("abc/def"));
t.throws(() => uploadLib.validateUniqueCategory("abc@def"));
t.throws(() => uploadLib.validateUniqueCategory("abc_def"));
t.throws(() => uploadLib.validateUniqueCategory("abc def"));

// this one is fine
t.notThrows(() => uploadLib.validateUniqueCategory("abc_ def"));
});
20 changes: 17 additions & 3 deletions src/upload-lib.ts
Original file line number Diff line number Diff line change
Expand Up @@ -404,15 +404,29 @@ async function uploadFiles(
export function validateUniqueCategory(category: string | undefined) {
if (util.isActions()) {
// This check only works on actions as env vars don't persist between calls to the runner
const sentinelEnvVar = `CODEQL_UPLOAD_SARIF + ${
category ? `_${category}` : ""
const sentinelEnvVar = `CODEQL_UPLOAD_SARIF${
category ? `_${sanitize(category)}` : ""
}`;
if (process.env[sentinelEnvVar]) {
throw new Error(
"Aborting upload: only one run of the codeql/analyze or codeql/upload-sarif actions is allowed per job per category. " +
"Please specify a unique `category` to call this action multiple times."
"Please specify a unique `category` to call this action multiple times. " +
`Category: ${category ? category : "(none)"}`
);
}
core.exportVariable(sentinelEnvVar, sentinelEnvVar);
}
}

/**
* Santizes a string to be used as an environment variable name.
* This will replace all non-alphanumeric characters with underscores.
* There could still be some false category clashes if two uploads
* occur that differ only in their non-alphanumeric characters. This is
* unlikely.
*
* @param str the initial value to sanitize
*/
function sanitize(str: string) {
return str.replace(/[^a-zA-Z0-9_]/g, "_");
}

0 comments on commit 4764f83

Please sign in to comment.