step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 22:47:05 +00:00
Code Issues Projects Releases Packages Wiki Activity

bug fixes

Browse source
This commit is contained in:
h0x0er 2024-10-17 15:02:44 +05:30
commit 30636fb583
No known key found for this signature in database
GPG key ID: 191FD2B45D961149
8 changed files with 138 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

22
dist/post/index.js vendored
View file

@ -3013,9 +3013,12 @@ function isDocker() {
return isDockerCached;
}
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(277);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
@ -3042,8 +3045,9 @@ function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let fileName = path.join(getRunnerTempDir(), `step_policy_endpoint_${encodedEndpoint}`);
echo(fileName);
}
}
if (allowedEndpoints.length > 0) {
@ -3051,14 +3055,12 @@ function sendAllowedEndpoints(endpoints) {
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
let applyPolicyStr = `step_policy_apply_${count}`;
let fileName = path.join(getRunnerTempDir(), applyPolicyStr);
echo(fileName);
}
function removeStepPolicyFiles() {
external_child_process_namespaceObject.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
external_child_process_namespaceObject.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
function echo(content) {
cp.execFileSync("echo", [content]);
}
;// CONCATENATED MODULE: ./src/cleanup.ts
@ -3088,8 +3090,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (process.env.STATE_selfHosted === "true") {

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

140
dist/pre/index.js vendored
View file

@ -20024,11 +20024,12 @@ exports.setSpanContext = setSpanContext;
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
var abortController = __nccwpck_require__(2557);
var crypto = __nccwpck_require__(6417);
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
* Creates an abortable promise.
* @param buildPromise - A function that takes the resolve and reject functions as parameters.
@ -20069,7 +20070,6 @@ function createAbortablePromise(buildPromise, options) {
}
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
const StandardAbortMessage = "The delay was aborted.";
/**
* A wrapper for setTimeout that resolves a promise after timeInMs milliseconds.
@ -20089,27 +20089,6 @@ function delay(timeInMs, options) {
});
}
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
* promise.race() wrapper that aborts rest of promises as soon as the first promise settles.
*/
async function cancelablePromiseRace(abortablePromiseBuilders, options) {
var _a, _b;
const aborter = new abortController.AbortController();
function abortHandler() {
aborter.abort();
}
(_a = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _a === void 0 ? void 0 : _a.addEventListener("abort", abortHandler);
try {
return await Promise.race(abortablePromiseBuilders.map((p) => p({ abortSignal: aborter.signal })));
}
finally {
aborter.abort();
(_b = options === null || options === void 0 ? void 0 : options.abortSignal) === null || _b === void 0 ? void 0 : _b.removeEventListener("abort", abortHandler);
}
}
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
@ -20146,7 +20125,6 @@ function isObject(input) {
}
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
* Typeguard for an error object shape (has name and message)
* @param e - Something caught by a catch clause.
@ -20187,7 +20165,6 @@ function getErrorMessage(e) {
}
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
* Generates a SHA-256 HMAC signature.
* @param key - The HMAC key represented as a base64 string, used to generate the cryptographic HMAC hash.
@ -20312,20 +20289,16 @@ const isWebWorker = typeof self === "object" &&
(((_a = self.constructor) === null || _a === void 0 ? void 0 : _a.name) === "DedicatedWorkerGlobalScope" ||
((_b = self.constructor) === null || _b === void 0 ? void 0 : _b.name) === "ServiceWorkerGlobalScope" ||
((_c = self.constructor) === null || _c === void 0 ? void 0 : _c.name) === "SharedWorkerGlobalScope");
/**
* A constant that indicates whether the environment the code is running is Node.JS.
*/
const isNode = typeof process !== "undefined" && Boolean(process.version) && Boolean((_d = process.versions) === null || _d === void 0 ? void 0 : _d.node);
/**
* A constant that indicates whether the environment the code is running is Deno.
*/
const isDeno = typeof Deno !== "undefined" &&
typeof Deno.version !== "undefined" &&
typeof Deno.version.deno !== "undefined";
/**
* A constant that indicates whether the environment the code is running is Node.JS.
*/
const isNode = typeof process !== "undefined" &&
Boolean(process.version) &&
Boolean((_d = process.versions) === null || _d === void 0 ? void 0 : _d.node) &&
// Deno thought it was a good idea to spoof process.versions.node, see https://deno.land/std@0.177.0/node/process.ts?s=versions
!isDeno;
/**
* A constant that indicates whether the environment the code is running is Bun.sh.
*/
@ -20345,7 +20318,14 @@ const isReactNative = typeof navigator !== "undefined" && (navigator === null ||
* @returns a string of the encoded string
*/
function uint8ArrayToString(bytes, format) {
return Buffer.from(bytes).toString(format);
switch (format) {
case "utf-8":
return uint8ArrayToUtf8String(bytes);
case "base64":
return uint8ArrayToBase64(bytes);
case "base64url":
return uint8ArrayToBase64Url(bytes);
}
}
/**
* The helper that transforms string to specific character encoded bytes array.
@ -20354,10 +20334,58 @@ function uint8ArrayToString(bytes, format) {
* @returns a uint8array
*/
function stringToUint8Array(value, format) {
return Buffer.from(value, format);
switch (format) {
case "utf-8":
return utf8StringToUint8Array(value);
case "base64":
return base64ToUint8Array(value);
case "base64url":
return base64UrlToUint8Array(value);
}
}
/**
* Decodes a Uint8Array into a Base64 string.
* @internal
*/
function uint8ArrayToBase64(bytes) {
return Buffer.from(bytes).toString("base64");
}
/**
* Decodes a Uint8Array into a Base64Url string.
* @internal
*/
function uint8ArrayToBase64Url(bytes) {
return Buffer.from(bytes).toString("base64url");
}
/**
* Decodes a Uint8Array into a javascript string.
* @internal
*/
function uint8ArrayToUtf8String(bytes) {
return Buffer.from(bytes).toString("utf-8");
}
/**
* Encodes a JavaScript string into a Uint8Array.
* @internal
*/
function utf8StringToUint8Array(value) {
return Buffer.from(value);
}
/**
* Encodes a Base64 string into a Uint8Array.
* @internal
*/
function base64ToUint8Array(value) {
return Buffer.from(value, "base64");
}
/**
* Encodes a Base64Url string into a Uint8Array.
* @internal
*/
function base64UrlToUint8Array(value) {
return Buffer.from(value, "base64url");
}
exports.cancelablePromiseRace = cancelablePromiseRace;
exports.computeSha256Hash = computeSha256Hash;
exports.computeSha256Hmac = computeSha256Hmac;
exports.createAbortablePromise = createAbortablePromise;
@ -71177,6 +71205,18 @@ module.exports = require("zlib");
/******/ }
/******/
/************************************************************************/
/******/ /* webpack/runtime/compat get default export */
/******/ (() => {
/******/ // getDefaultExport function for compatibility with non-harmony modules
/******/ __nccwpck_require__.n = (module) => {
/******/ var getter = module && module.__esModule ?
/******/ () => (module['default']) :
/******/ () => (module);
/******/ __nccwpck_require__.d(getter, { a: getter });
/******/ return getter;
/******/ };
/******/ })();
/******/
/******/ /* webpack/runtime/define property getters */
/******/ (() => {
/******/ // define getter functions for harmony exports
@ -71232,6 +71272,7 @@ var external_fs_ = __nccwpck_require__(5747);
var lib = __nccwpck_require__(6255);
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(5622);
var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
// EXTERNAL MODULE: ./node_modules/uuid/dist/index.js
var dist = __nccwpck_require__(5840);
;// CONCATENATED MODULE: ./node_modules/uuid/wrapper.mjs
@ -71520,6 +71561,7 @@ var cacheUtils = __nccwpck_require__(1518);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
@ -71546,8 +71588,9 @@ function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
external_child_process_.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let fileName = external_path_default().join(getRunnerTempDir(), `step_policy_endpoint_${encodedEndpoint}`);
echo(fileName);
}
}
if (allowedEndpoints.length > 0) {
@ -71555,14 +71598,12 @@ function sendAllowedEndpoints(endpoints) {
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
external_child_process_.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
let applyPolicyStr = `step_policy_apply_${count}`;
let fileName = external_path_default().join(getRunnerTempDir(), applyPolicyStr);
echo(fileName);
}
function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
function echo(content) {
external_child_process_.execFileSync("echo", [content]);
}
;// CONCATENATED MODULE: ./src/tls-inspect.ts
@ -71836,7 +71877,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
if (confg.egress_policy === "block") {
try {
if (process.env.USER) {
external_child_process_.execSync(`sudo chown -R ${process.env.USER} /home/agent`);
chownForFolder(process.env.USER, "/home/agent");
}
const confgStr = JSON.stringify(confg);
external_fs_.writeFileSync("/home/agent/block_event.json", confgStr);
@ -71882,7 +71923,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
chownForFolder(process.env.USER, "/home/agent");
let isTLS = yield isTLSEnabled(github.context.repo.owner);
const agentInstalled = yield installAgent(isTLS, confgStr);
if (agentInstalled) {
@ -71923,6 +71964,11 @@ function setup_sleep(ms) {
setTimeout(resolve, ms);
});
}
function chownForFolder(newOwner, target) {
let cmd = "sudo";
let args = ["chown", "-R", newOwner, target];
external_child_process_.execFileSync(cmd, args);
}
})();

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

18
src/arc-runner.test.ts
View file

@ -1,20 +1,20 @@
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
it("should correctly recognize arc based runner", async () => {
process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
"actions-runner-controller/2.0.1";
let isArc: boolean = await isArcRunner();
let isArc: boolean = await isArcRunner();
expect(isArc).toBe(true);
});
it("should write endpoint files", () => {
process.env["isTest"] = "1";
it("should write endpoint files", ()=>{
process.env["isTest"] = "1"
let allowed_endpoints = ["github.com:443", "*.google.com:443", "youtube.com"].join(" ");
let allowed_endpoints = [
"github.com:443",
"*.google.com:443",
"youtube.com",
].join(" ");
sendAllowedEndpoints(allowed_endpoints);
})
});

27
src/arc-runner.ts
View file

@ -1,6 +1,6 @@
import * as cp from "child_process";
import * as fs from "fs";
import { sleep } from "./setup";
import path from "path";
export function isArcRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
@ -27,7 +27,6 @@ function getRunnerTempDir(): string {
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
@ -36,10 +35,14 @@ export function sendAllowedEndpoints(endpoints: string): void {
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(
`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`
let encodedEndpoint = Buffer.from(endpoint).toString("base64");
let fileName = path.join(
getRunnerTempDir(),
`step_policy_endpoint_${encodedEndpoint}`
);
echo(fileName);
}
}
@ -49,14 +52,12 @@ export function sendAllowedEndpoints(endpoints: string): void {
}
function applyPolicy(count: number): void {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
let applyPolicyStr = `step_policy_apply_${count}`;
let fileName = path.join(getRunnerTempDir(), applyPolicyStr);
echo(fileName);
}
export function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
export function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
function echo(content: string) {
cp.execFileSync("echo", [content]);
}

4
src/cleanup.ts
View file

@ -2,7 +2,7 @@ import * as fs from "fs";
import * as cp from "child_process";
import * as common from "./common";
import isDocker from "is-docker";
import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
import { isArcRunner } from "./arc-runner";
(async () => {
console.log("[harden-runner] post-step");
@ -18,8 +18,6 @@ import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}

11
src/setup.ts
View file

@ -165,8 +165,9 @@ interface MonitorResponse {
if (confg.egress_policy === "block") {
try {
if (process.env.USER) {
cp.execSync(`sudo chown -R ${process.env.USER} /home/agent`);
chownForFolder(process.env.USER, "/home/agent");
}
const confgStr = JSON.stringify(confg);
fs.writeFileSync("/home/agent/block_event.json", confgStr);
await sleep(5000);
@ -225,7 +226,7 @@ interface MonitorResponse {
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
chownForFolder(process.env.USER, "/home/agent");
let isTLS = await isTLSEnabled(context.repo.owner);
@ -269,3 +270,9 @@ export function sleep(ms) {
setTimeout(resolve, ms);
});
}
function chownForFolder(newOwner: string, target: string) {
let cmd = "sudo";
let args = ["chown", "-R", newOwner, target];
cp.execFileSync(cmd, args);
}