-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub OIDC: validate job_workflow_ref
#11263
Conversation
Add a bunch of counterexample tests to be certain.
This is more or less the same as the original implementation, except that we now use a strict regex ( |
Hm, I've left a comment and github is not showing it to me. I wonder if github lost my comment. Let me know if this is the first comment you see of me in this PR. Edit: ah here it is. Github is insisting on hiding it from me for some reason. #11263 (comment) Anyway, the discussion we oroginally had was like this: #10753 (comment) And I'm not seeing the same things as we discussed, but maybe I'm misunderstanding the goal of this PR |
Yeah, sorry if this was unclear: the goal here is not to support reusable workflows. We're only using The reason we're doing this is because the separate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM but want to make sure @ewjoachim's concerns have been addressed before merging.
Ok so there's one question left from my other comment:
I believe this will confuse rsplit. |
Yeah, I think you're right. I don't have a clean solution for this, then -- we could do an unambiguous parse by referencing the All of this is technically outside of our threat model (#10644), since the attack here assumes that the attacker manages to fool the repository owner into introducing a malicious workflow. Thoughts on just reverting back to the |
Okay, this should do the trick: we're now using the
...where |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will let @ewjoachim re-review as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, I'm sorry for taking nice code away and forcing you to write less nice code :D (blame GitHub for mixing parts of strings together in a bigger string without any kind of escaping and expecting us to parse the bits ourselves)
Seems good now :)
$ python -m this | grep amb
In the face of ambiguity, refuse the temptation to guess.
Much appreciated, @ewjoachim 🙂 |
It's greatly appreciated! Precision is a virtue, especially in anything remotely involving security 🙂 |
* tests, warehouse: validate job_workflow_ref Add a bunch of counterexample tests to be certain. * oidc/models: wrap `re.match` to make mypy happy * tests/oidc: update * warehouse, tests: fix `job_workflow_ref` regex * tests, warehouse: refactor `job_workflow_ref` again * warehouse, tests: refactor `job_workflow_ref` verification again Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Also adds a bunch of counterexample tests to be certain.