Skip to content

Commit

Permalink
chore(deps): Update tj-actions/changed-files action to v40 [SECURITY] (
Browse files Browse the repository at this point in the history 
…#15965)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [tj-actions/changed-files](https://togithub.com/tj-actions/changed-files) | action | major | `v39` -> `v40` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

### GitHub Vulnerability Alerts

#### [CVE-2023-51664](https://togithub.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63)

### Summary
The `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

### Details
The [`changed-files`](https://togithub.com/tj-actions/changed-files) action returns a list of files changed in a commit or pull request which provides an `escape_json` input [enabled by default](https://togithub.com/tj-actions/changed-files/blob/94549999469dbfa032becf298d95c87a14c34394/action.yml#L136), only escapes `"` for JSON values. 

This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`.

#### Proof of Concept

1. Submit a pull request to a repository with a new file injecting a command. For example `$(whoami).txt` which is a valid filename.
2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the `List all changed files` step below.

```yaml
      - name: List all changed files
        run: |
          for file in $; do
            echo "$file was changed"
          done
```

Example output:

```yaml

##[group]Run for file in $(whoami).txt; do
    for file in $(whoami).txt; do
        echo "$file was changed"
    done
shell: /usr/bin/bash -e {0}

##[endgroup]
runner.txt was changed
```

### Impact

This issue may lead to arbitrary command execution in the GitHub Runner.

### Resolution
- A new `safe_output` input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.

- A safe recommendation of using environment variables to store unsafe outputs.

```yaml
- name: List all changed files
  env:
    ALL_CHANGED_FILES: $
  run: |
    for file in "$ALL_CHANGED_FILES"; do
      echo "$file was changed"
    done
```

### Resources

* [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/)
* [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

---

### Release Notes

<details>
<summary>tj-actions/changed-files (tj-actions/changed-files)</summary>

### [`v40`](https://togithub.com/tj-actions/changed-files/releases/tag/v40)

[Compare Source](https://togithub.com/tj-actions/changed-files/compare/v39...v40)

### Changes in v40.2.3

#### What's Changed

-   Upgraded to v40.2.2 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1787
-   chore(deps): update dependency prettier to v3.1.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1788
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1789
-   chore(deps): update typescript-eslint monorepo to v6.14.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1790
-   chore(deps): update github/codeql-action action to v3 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1792
-   chore(deps): update actions/download-artifact action to v4 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1793
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1795
-   chore(deps): update dependency eslint to v8.56.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1796
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.5 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1797
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1798
-   chore(deps): update actions/setup-node action to v4.0.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1799

**Full Changelog**: tj-actions/changed-files@v40...v40.2.3

***

### Changes in v40.2.2

#### What's Changed

-   Upgraded to v40.2.1 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1771
-   chore(deps): update typescript-eslint monorepo to v6.13.2 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1772
-   chore: Create SECURITY.md by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1773
-   chore: Update package.json by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1774
-   chore(deps-dev): bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.10 to 29.5.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1775
-   chore(deps): update dependency typescript to v5.3.3 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1777
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1778
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1779
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.4 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1781
-   chore(deps): bump tj-actions/branch-names from 7 to 8 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1782
-   docs: add rodrigorfk as a contributor for code, test, and bug by [@&#8203;allcontributors](https://togithub.com/allcontributors) in [tj-actions/changed-files#1785
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1786
-   fix: bug recovering deleted files for submodules by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1784

**Full Changelog**: tj-actions/changed-files@v40...v40.2.2

***

### Changes in v40.2.1

#### What's Changed

-   Upgraded to v40.2.0 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1746
-   chore: update README.md by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1749
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1750
-   chore(deps): update typescript-eslint monorepo to v6.13.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1751
-   chore(deps): update typescript-eslint monorepo to v6.13.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1753
-   chore: remove unused job by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1754
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1755
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1757
-   security: remove usage of pull_request_target event from test.yml by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1758
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1761
-   test: verify bug writing outputs when files_yaml is used by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1762
-   security: Update test.yml removing pull_request_review event by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1763
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.2 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1764
-   chore(deps): update dependency eslint to v8.55.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1765
-   chore(deps): update dependency eslint-config-prettier to v9.1.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1766
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1767
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1769
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.3 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1768
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1770

**Full Changelog**: tj-actions/changed-files@v40...v40.2.1

***

### Changes in v40.2.0

#### What's Changed

-   Upgraded to v40.1.1 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1704
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1706
-   chore(deps): update dependency prettier to v3.1.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1707
-   chore(deps): update typescript-eslint monorepo to v6.11.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1708
-   chore: Update update-readme.yml by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1709
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1710
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1711
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1712
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1713
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1714
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.9.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1715
-   chore(deps): update dependency eslint to v8.54.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1716
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.9.2 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1717
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1720
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1721
-   chore: simplify matrix example workflow by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1719
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1722
-   chore(deps): update typescript-eslint monorepo to v6.12.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1723
-   chore(deps): update dependency typescript to v5.3.2 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1724
-   Bump [@&#8203;types/node](https://togithub.com/types/node) from 20.9.2 to 20.9.3 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1725
-   chore(deps): update dependency [@&#8203;types/jest](https://togithub.com/types/jest) to v29.5.9 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1729
-   chore(deps): update dependency [@&#8203;types/micromatch](https://togithub.com/types/micromatch) to v4.0.6 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1731
-   chore(deps): update dependency [@&#8203;types/lodash](https://togithub.com/types/lodash) to v4.14.202 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1730
-   Bump [@&#8203;types/lodash](https://togithub.com/types/lodash) from 4.14.201 to 4.14.202 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1728
-   Bump [@&#8203;types/micromatch](https://togithub.com/types/micromatch) from 4.0.5 to 4.0.6 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1727
-   Bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.9 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1726
-   Bump [@&#8203;types/node](https://togithub.com/types/node) from 20.9.3 to 20.9.4 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1732
-   chore(deps): update dependency [@&#8203;types/jest](https://togithub.com/types/jest) to v29.5.10 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1734
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.9.5 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1736
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.10.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1737
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1743
-   feat: add support for passing branch name to the base_sha and sha inputs by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1742
-   fix: prevent similar commit hashes error when using the branch name by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1744
-   fix: prevent similar commit hashes error when using the branch name by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1745

**Full Changelog**: tj-actions/changed-files@v40...v40.2.0

***

### Changes in v40.1.1

#### What's Changed

-   Upgraded to v40.1.0 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1695
-   chore(deps): update dependency eslint to v8.53.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1696
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1697
-   chore(deps): update typescript-eslint monorepo to v6.10.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1698
-   chore(deps): update dependency [@&#8203;types/jest](https://togithub.com/types/jest) to v29.5.8 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1699
-   chore(deps): update dependency [@&#8203;types/uuid](https://togithub.com/types/uuid) to v9.0.7 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1702
-   chore(deps): update dependency [@&#8203;types/micromatch](https://togithub.com/types/micromatch) to v4.0.5 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1701
-   chore(deps): update dependency [@&#8203;types/lodash](https://togithub.com/types/lodash) to v4.14.201 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1700
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.9.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1703

**Full Changelog**: tj-actions/changed-files@v40...v40.1.1

***

### Changes in v40.1.0

#### What's Changed

-   Upgraded to v40.0.2 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1689
-   fix(deps): update dependency yaml to v2.3.4 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1691
-   feat: add support for controlling the pattern order by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1693
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1694

**Full Changelog**: tj-actions/changed-files@v40...v40.1.0

***

### Changes in v40.0.2

#### What's Changed

-   Upgraded to v40.0.1 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1686
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.8.10 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1687
-   fix: order of file patterns by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1688

**Full Changelog**: tj-actions/changed-files@v40...v40.0.2

***

### Changes in v40.0.1

#### What's Changed

-   Upgraded to v40 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1672
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1673
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1675
-   chore(deps): update dependency eslint-plugin-jest to v27.5.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1674
-   chore(deps): update dependency eslint-plugin-jest to v27.6.0 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1676
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1677
-   Updated README.md by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1678
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1680
-   chore(deps): update dependency [@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) to v6.9.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1682
-   chore(deps): update dependency [@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) to v6.9.1 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1683
-   fix: bug with order in which the files and files ignore patterns are combined by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1684
-   chore(deps): update dependency [@&#8203;types/jest](https://togithub.com/types/jest) to v29.5.7 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1685

**Full Changelog**: tj-actions/changed-files@v40...v40.0.1

***

### Changes in v40.0.0

#### 🔥 🔥  Breaking Change 🔥 🔥

-   Directory patterns now require explicit specification of the globstar pattern to match all sub paths.

#####

```diff
...
      - name: Get specific changed files
        id: changed-files-specific
        uses: tj-actions/changed-files@v40
        with:
          files: |
-            dir
+            dir/**
```

#### What's Changed

-   Upgraded to v39.2.4 by [@&#8203;tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1664
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1665
-   Bump [@&#8203;types/node](https://togithub.com/types/node) from 20.8.7 to 20.8.8 by [@&#8203;dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1666
-   chore(deps): update dependency [@&#8203;types/node](https://togithub.com/types/node) to v20.8.9 by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1668
-   remove: appending globstar pattern for directories to prevent bugs with path matching by [@&#8203;jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1670
-   chore(deps): lock file maintenance by [@&#8203;renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1671

**Full Changelog**: tj-actions/changed-files@v39...v40.0.0

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMTYuMCIsInVwZGF0ZWRJblZlciI6IjM3LjExNi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
  • Loading branch information
@cq-bot
cq-bot committed Jan 2, 2024
1 parent 2292b5a commit 76e5afc
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/wait_for_required_workflows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v39
uses: tj-actions/changed-files@v40
- uses: actions/github-script@v6
env:
FILES: ${{ steps.changed-files.outputs.all_modified_files }}
Expand Down

0 comments on commit 76e5afc

Please sign in to comment.