Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): Update tj-actions/changed-files action to v40 [SECURITY] (…
…#15965) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tj-actions/changed-files](https://togithub.com/tj-actions/changed-files) | action | major | `v39` -> `v40` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2023-51664](https://togithub.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63) ### Summary The `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. ### Details The [`changed-files`](https://togithub.com/tj-actions/changed-files) action returns a list of files changed in a commit or pull request which provides an `escape_json` input [enabled by default](https://togithub.com/tj-actions/changed-files/blob/94549999469dbfa032becf298d95c87a14c34394/action.yml#L136), only escapes `"` for JSON values. This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`. #### Proof of Concept 1. Submit a pull request to a repository with a new file injecting a command. For example `$(whoami).txt` which is a valid filename. 2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the `List all changed files` step below. ```yaml - name: List all changed files run: | for file in $; do echo "$file was changed" done ``` Example output: ```yaml ##[group]Run for file in $(whoami).txt; do for file in $(whoami).txt; do echo "$file was changed" done shell: /usr/bin/bash -e {0} ##[endgroup] runner.txt was changed ``` ### Impact This issue may lead to arbitrary command execution in the GitHub Runner. ### Resolution - A new `safe_output` input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments. - A safe recommendation of using environment variables to store unsafe outputs. ```yaml - name: List all changed files env: ALL_CHANGED_FILES: $ run: | for file in "$ALL_CHANGED_FILES"; do echo "$file was changed" done ``` ### Resources * [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/) * [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) --- ### Release Notes <details> <summary>tj-actions/changed-files (tj-actions/changed-files)</summary> ### [`v40`](https://togithub.com/tj-actions/changed-files/releases/tag/v40) [Compare Source](https://togithub.com/tj-actions/changed-files/compare/v39...v40) ### Changes in v40.2.3 #### What's Changed - Upgraded to v40.2.2 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1787 - chore(deps): update dependency prettier to v3.1.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1788 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1789 - chore(deps): update typescript-eslint monorepo to v6.14.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1790 - chore(deps): update github/codeql-action action to v3 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1792 - chore(deps): update actions/download-artifact action to v4 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1793 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1795 - chore(deps): update dependency eslint to v8.56.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1796 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.5 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1797 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1798 - chore(deps): update actions/setup-node action to v4.0.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1799 **Full Changelog**: tj-actions/changed-files@v40...v40.2.3 *** ### Changes in v40.2.2 #### What's Changed - Upgraded to v40.2.1 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1771 - chore(deps): update typescript-eslint monorepo to v6.13.2 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1772 - chore: Create SECURITY.md by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1773 - chore: Update package.json by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1774 - chore(deps-dev): bump [@​types/jest](https://togithub.com/types/jest) from 29.5.10 to 29.5.11 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1775 - chore(deps): update dependency typescript to v5.3.3 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1777 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1778 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1779 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.4 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1781 - chore(deps): bump tj-actions/branch-names from 7 to 8 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1782 - docs: add rodrigorfk as a contributor for code, test, and bug by [@​allcontributors](https://togithub.com/allcontributors) in [tj-actions/changed-files#1785 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1786 - fix: bug recovering deleted files for submodules by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1784 **Full Changelog**: tj-actions/changed-files@v40...v40.2.2 *** ### Changes in v40.2.1 #### What's Changed - Upgraded to v40.2.0 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1746 - chore: update README.md by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1749 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1750 - chore(deps): update typescript-eslint monorepo to v6.13.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1751 - chore(deps): update typescript-eslint monorepo to v6.13.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1753 - chore: remove unused job by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1754 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1755 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1757 - security: remove usage of pull_request_target event from test.yml by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1758 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1761 - test: verify bug writing outputs when files_yaml is used by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1762 - security: Update test.yml removing pull_request_review event by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1763 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.2 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1764 - chore(deps): update dependency eslint to v8.55.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1765 - chore(deps): update dependency eslint-config-prettier to v9.1.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1766 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1767 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1769 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.3 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1768 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1770 **Full Changelog**: tj-actions/changed-files@v40...v40.2.1 *** ### Changes in v40.2.0 #### What's Changed - Upgraded to v40.1.1 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1704 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1706 - chore(deps): update dependency prettier to v3.1.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1707 - chore(deps): update typescript-eslint monorepo to v6.11.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1708 - chore: Update update-readme.yml by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1709 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1710 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1711 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1712 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1713 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1714 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.9.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1715 - chore(deps): update dependency eslint to v8.54.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1716 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.9.2 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1717 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1720 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1721 - chore: simplify matrix example workflow by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1719 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1722 - chore(deps): update typescript-eslint monorepo to v6.12.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1723 - chore(deps): update dependency typescript to v5.3.2 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1724 - Bump [@​types/node](https://togithub.com/types/node) from 20.9.2 to 20.9.3 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1725 - chore(deps): update dependency [@​types/jest](https://togithub.com/types/jest) to v29.5.9 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1729 - chore(deps): update dependency [@​types/micromatch](https://togithub.com/types/micromatch) to v4.0.6 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1731 - chore(deps): update dependency [@​types/lodash](https://togithub.com/types/lodash) to v4.14.202 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1730 - Bump [@​types/lodash](https://togithub.com/types/lodash) from 4.14.201 to 4.14.202 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1728 - Bump [@​types/micromatch](https://togithub.com/types/micromatch) from 4.0.5 to 4.0.6 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1727 - Bump [@​types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.9 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1726 - Bump [@​types/node](https://togithub.com/types/node) from 20.9.3 to 20.9.4 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1732 - chore(deps): update dependency [@​types/jest](https://togithub.com/types/jest) to v29.5.10 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1734 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.9.5 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1736 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.10.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1737 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1743 - feat: add support for passing branch name to the base_sha and sha inputs by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1742 - fix: prevent similar commit hashes error when using the branch name by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1744 - fix: prevent similar commit hashes error when using the branch name by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1745 **Full Changelog**: tj-actions/changed-files@v40...v40.2.0 *** ### Changes in v40.1.1 #### What's Changed - Upgraded to v40.1.0 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1695 - chore(deps): update dependency eslint to v8.53.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1696 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1697 - chore(deps): update typescript-eslint monorepo to v6.10.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1698 - chore(deps): update dependency [@​types/jest](https://togithub.com/types/jest) to v29.5.8 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1699 - chore(deps): update dependency [@​types/uuid](https://togithub.com/types/uuid) to v9.0.7 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1702 - chore(deps): update dependency [@​types/micromatch](https://togithub.com/types/micromatch) to v4.0.5 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1701 - chore(deps): update dependency [@​types/lodash](https://togithub.com/types/lodash) to v4.14.201 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1700 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.9.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1703 **Full Changelog**: tj-actions/changed-files@v40...v40.1.1 *** ### Changes in v40.1.0 #### What's Changed - Upgraded to v40.0.2 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1689 - fix(deps): update dependency yaml to v2.3.4 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1691 - feat: add support for controlling the pattern order by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1693 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1694 **Full Changelog**: tj-actions/changed-files@v40...v40.1.0 *** ### Changes in v40.0.2 #### What's Changed - Upgraded to v40.0.1 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1686 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.8.10 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1687 - fix: order of file patterns by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1688 **Full Changelog**: tj-actions/changed-files@v40...v40.0.2 *** ### Changes in v40.0.1 #### What's Changed - Upgraded to v40 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1672 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1673 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1675 - chore(deps): update dependency eslint-plugin-jest to v27.5.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1674 - chore(deps): update dependency eslint-plugin-jest to v27.6.0 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1676 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1677 - Updated README.md by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1678 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1680 - chore(deps): update dependency [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) to v6.9.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1682 - chore(deps): update dependency [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) to v6.9.1 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1683 - fix: bug with order in which the files and files ignore patterns are combined by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1684 - chore(deps): update dependency [@​types/jest](https://togithub.com/types/jest) to v29.5.7 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1685 **Full Changelog**: tj-actions/changed-files@v40...v40.0.1 *** ### Changes in v40.0.0 #### 🔥 🔥 Breaking Change 🔥 🔥 - Directory patterns now require explicit specification of the globstar pattern to match all sub paths. ##### ```diff ... - name: Get specific changed files id: changed-files-specific uses: tj-actions/changed-files@v40 with: files: | - dir + dir/** ``` #### What's Changed - Upgraded to v39.2.4 by [@​tj-actions-bot](https://togithub.com/tj-actions-bot) in [tj-actions/changed-files#1664 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1665 - Bump [@​types/node](https://togithub.com/types/node) from 20.8.7 to 20.8.8 by [@​dependabot](https://togithub.com/dependabot) in [tj-actions/changed-files#1666 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v20.8.9 by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1668 - remove: appending globstar pattern for directories to prevent bugs with path matching by [@​jackton1](https://togithub.com/jackton1) in [tj-actions/changed-files#1670 - chore(deps): lock file maintenance by [@​renovate](https://togithub.com/renovate) in [tj-actions/changed-files#1671 **Full Changelog**: tj-actions/changed-files@v39...v40.0.0 *** </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMTYuMCIsInVwZGF0ZWRJblZlciI6IjM3LjExNi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
- Loading branch information