Merge pull request #40 from PowerShellWeb/GQL-Container-Fix

GQL 0.1.1

Author: StartAutomating

.github/workflows/BuildGQL.yml

@@ -533,6 +533,9 @@ jobs:
         with: 
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: latest=true
+        env: 
+          REGISTRY: ghcr.io
+          IMAGE_NAME: ${{ github.repository }}
       - name: Build and push Docker image (from main)
         if: ${{github.ref_name == 'main' || github.ref_name == 'master' || github.ref_name == 'latest'}}
         uses: docker/build-push-action@master

Build/GitHub/Steps/BuildAndPublishContainer.psd1

@@ -32,6 +32,10 @@
         'images'='${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}'
         'flavor'='latest=true'
     }
+    env = @{
+        REGISTRY = 'ghcr.io'
+        IMAGE_NAME = '${{ github.repository }}'
+    }
 }
 @{
     name = 'Build and push Docker image (from main)'

CHANGELOG.md

@@ -1,3 +1,10 @@
+## GQL 0.1.1
+
+* Fixing Container Build (#38, #39)
+* Adding SECURITY.md (#17)
+
+---
+
 ## GQL 0.1
 
 * Initial Release of GQL

Dockerfile

@@ -2,7 +2,7 @@
 FROM mcr.microsoft.com/powershell AS powershell
 
 # Set the module name to the name of the module we are building
-ENV ModuleName=HtmxPS
+ENV ModuleName=GQL
 ENV InstallAptGet="git","curl","ca-certificates","libc6","libgcc1"
 ENV InstallModule="ugit"
 # Copy the module into the container

GQL.psd1

@@ -1,5 +1,5 @@
 @{
-    ModuleVersion = '0.1'
+    ModuleVersion = '0.1.1'
     RootModule = 'GQL.psm1'
     Guid = '9bf5c922-9f36-4c52-a7b6-d435837d4fa9'
     Author = 'James Brundage'
@@ -12,11 +12,10 @@
             ProjectURI = 'https://github.com/PowerShellWeb/GQL'
             LicenseURI = 'https://github.com/PowerShellWeb/GQL/blob/main/LICENSE'
             ReleaseNotes = @'            
-## GQL 0.1
+## GQL 0.1.1
 
-* Initial Release of GQL
-* One Simple Command for GraphQL: `Get-GQL` (or `GQL`)
-* Container and GitHub action included!
+* Fixing Container Build (#38, #39)
+* Adding SECURITY.md (#17)
 
 ---
 

SECURITY.md

@@ -0,0 +1,59 @@
+# Security
+
+We take security seriously.  If you believe you have discovered a vulnerability, please [file an issue](https://github.com/PowerShellWeb/GQL/issues).
+
+## Special Security Considerations
+
+When using this module, take care to secure your GraphQL token.  _Never_ hardcode a value, even as an example.
+
+GraphQL is very powerful, and the Graph API should be queried carefully.
+
+It is also highly recommended you use a Graph API token with limited rights.  
+
+Using your own personal access token can compromise your account.
+
+Finally, and importantly, review any queries that you run before you run them.  
+
+Any GraphQL query you did not write could do more than you expect it to.
+
+### -WhatIf and -Confirm for extra safety
+
+For safety purposes, GQL SupportsShouldProcess.
+
+This adds two parameters, -WhatIf and -Confirm.
+
+Use -WhatIf to determine how to run the query with Invoke-RestMethod, without running it directly.
+
+Use -Confirm to prompt for confirmation before each query is executed.
+
+~~~PowerShell
+GQL ./Examples/GetSchemaTypes.gql -Confirm
+~~~
+
+### Use Variables for more security
+
+Hardcoded values can reveal insecure information.
+
+## Never Execute Result Data
+
+Seriously:
+
+**Never Execute Result Data**
+
+In PowerShell, on of the most dangerous things you can do is `Invoke-Expression`.
+
+This runs whatever is in the data, and is the path to code injection attacks.
+
+Another dangerous thing you can do is `$executionContext.SessionState.InvokeCommand.ExpandString`.
+
+This expands a string containing subexpressions, which can also inject code.
+
+If you were to directly Invoke or expand code from a GraphQL result, it could compromise your system (and possibly your network)
+
+If you were to directly evaluate code from a GraphQL result in any other language, it could compromise that application (and possibly your network)
+
+So, once more:
+
+*Never Execute Result Data*
+
+## Please Enjoy Responsibly

docs/CHANGELOG.md

@@ -1,3 +1,10 @@
+## GQL 0.1.1
+
+* Fixing Container Build (#38, #39)
+* Adding SECURITY.md (#17)
+
+---
+
 ## GQL 0.1
 
 * Initial Release of GQL

docs/SECURITY.md

@@ -0,0 +1,59 @@
+# Security
+
+We take security seriously.  If you believe you have discovered a vulnerability, please [file an issue](https://github.com/PowerShellWeb/GQL/issues).
+
+## Special Security Considerations
+
+When using this module, take care to secure your GraphQL token.  _Never_ hardcode a value, even as an example.
+
+GraphQL is very powerful, and the Graph API should be queried carefully.
+
+It is also highly recommended you use a Graph API token with limited rights.  
+
+Using your own personal access token can compromise your account.
+
+Finally, and importantly, review any queries that you run before you run them.  
+
+Any GraphQL query you did not write could do more than you expect it to.
+
+### -WhatIf and -Confirm for extra safety
+
+For safety purposes, GQL SupportsShouldProcess.
+
+This adds two parameters, -WhatIf and -Confirm.
+
+Use -WhatIf to determine how to run the query with Invoke-RestMethod, without running it directly.
+
+Use -Confirm to prompt for confirmation before each query is executed.
+
+~~~PowerShell
+GQL ./Examples/GetSchemaTypes.gql -Confirm
+~~~
+
+### Use Variables for more security
+
+Hardcoded values can reveal insecure information.
+
+## Never Execute Result Data
+
+Seriously:
+
+**Never Execute Result Data**
+
+In PowerShell, on of the most dangerous things you can do is `Invoke-Expression`.
+
+This runs whatever is in the data, and is the path to code injection attacks.
+
+Another dangerous thing you can do is `$executionContext.SessionState.InvokeCommand.ExpandString`.
+
+This expands a string containing subexpressions, which can also inject code.
+
+If you were to directly Invoke or expand code from a GraphQL result, it could compromise your system (and possibly your network)
+
+If you were to directly evaluate code from a GraphQL result in any other language, it could compromise that application (and possibly your network)
+
+So, once more:
+
+*Never Execute Result Data*
+
+## Please Enjoy Responsibly