Fix security issues (#6040)

Author: sdepassio

.github/actions/merge-artifacts/action.yml

@@ -33,17 +33,21 @@ runs:
         retention-days: 1
 
     - name: Delete Artifacts
+      env:
+        SOURCE_NAME_PATTERN: ${{ inputs.source_name_pattern }}
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
       run: |
-        artifact_pattern="${{ inputs.source_name_pattern }}"
-        TOKEN="${{ inputs.github_token }}"
+        artifact_pattern="$SOURCE_NAME_PATTERN"
+        TOKEN="$GITHUB_TOKEN"
         artifact_exists=true
         while [ "$artifact_exists" = true ]; do
           artifact_exists=false
           artifacts_response=$(curl -L \
                         -H "Accept: application/vnd.github+json" \
                         -H "Authorization: Bearer $TOKEN" \
                         -H "X-GitHub-Api-Version: 2022-11-28" \
-                        "https://api.github.com/repos/${{ github.repository }}/actions/artifacts?per_page=100")
+                        "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/artifacts?per_page=100")
           artifacts=$(echo $artifacts_response | jq -c '.artifacts[]')
           echo "Those are the artifacts : $artifacts"
           while read row; do
@@ -57,7 +61,7 @@ runs:
                 -H "Accept: application/vnd.github+json" \
                 -H "Authorization: Bearer $TOKEN" \
                 -H "X-GitHub-Api-Version: 2022-11-28" \
-                "https://api.github.com/repos/${{ github.repository }}/actions/artifacts/${artifact_id}"
+                "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/artifacts/${artifact_id}"
             fi
           done <<< "$artifacts"
         done

.github/actions/package-nfpm/action.yml

@@ -64,29 +64,38 @@ runs:
       env:
         RPM_GPG_SIGNING_KEY_ID: ${{ inputs.rpm_gpg_signing_key_id }}
         RPM_GPG_SIGNING_PASSPHRASE: ${{ inputs.rpm_gpg_signing_passphrase }}
+        INPUT_VERSION: ${{ inputs.version }}
+        MAJOR_VERSION: ${{ inputs.major_version }}
+        MINOR_VERSION: ${{ inputs.minor_version }}
+        INPUT_RELEASE: ${{ inputs.release }}
+        ARCH: ${{ inputs.arch }}
+        PACKAGE_EXTENSION: ${{ inputs.package_extension }}
+        DISTRIB: ${{ inputs.distrib }}
+        STABILITY: ${{ inputs.stability }}
+        PKG_DISTRIB_SEPARATOR: ${{ steps.parse-distrib.outputs.package_distrib_separator }}
+        PKG_DISTRIB_NAME: ${{ steps.parse-distrib.outputs.package_distrib_name }}
+        NFPM_FILE_PATTERN: ${{ inputs.nfpm_file_pattern }}
+        COMMIT_HASH: ${{ inputs.commit_hash }}
       run: |
-        if [ -z ${{ inputs.version }} ]; then
-          export VERSION="${{ inputs.major_version }}.${{ inputs.minor_version }}"
-          export MAJOR_VERSION="${{ inputs.major_version }}"
-          export MINOR_VERSION="${{ inputs.minor_version }}"
-        elif [ -z ${{ inputs.major_version }} ]; then
-          export VERSION="${{ inputs.version }}"
+        if [ -z $INPUT_VERSION ]; then
+          export VERSION="${MAJOR_VERSION}.${MINOR_VERSION}"
+        elif [ -z $MAJOR_VERSION ]; then
+          export VERSION="${INPUT_VERSION}"
           export MAJOR_VERSION=$( echo $VERSION | cut -d "-" -f1 )
           export MINOR_VERSION=$( echo $VERSION | cut -d "-" -f2 )
         fi
-        export RELEASE="${{ inputs.release }}"
-        export ARCH="${{ inputs.arch }}"
+        export RELEASE="${INPUT_RELEASE}"
 
-        if  [ "${{ inputs.package_extension }}" = "rpm" ]; then
-          export DIST=".${{ inputs.distrib }}"
+        if  [ "$PACKAGE_EXTENSION" = "rpm" ]; then
+          export DIST=".$DISTRIB"
           export APACHE_USER="apache"
           export APACHE_GROUP="apache"
         else
           export DIST=""
-          if [ "${{ inputs.stability }}" == "unstable" ] || [ "${{ inputs.stability }}" == "canary" ]; then
-            export RELEASE="$RELEASE${{ steps.parse-distrib.outputs.package_distrib_separator }}${{ steps.parse-distrib.outputs.package_distrib_name }}"
+          if [ "$STABILITY" == "unstable" ] || [ "$STABILITY" == "canary" ]; then
+            export RELEASE="$RELEASE${PKG_DISTRIB_SEPARATOR}${PKG_DISTRIB_NAME}"
           else
-            export RELEASE="1${{ steps.parse-distrib.outputs.package_distrib_separator }}${{ steps.parse-distrib.outputs.package_distrib_name }}"
+            export RELEASE="1${PKG_DISTRIB_SEPARATOR}${PKG_DISTRIB_NAME}"
           fi
           export APACHE_USER="www-data"
           export APACHE_GROUP="www-data"
@@ -109,16 +118,16 @@ runs:
         export RPM_SIGNING_KEY_ID="$RPM_GPG_SIGNING_KEY_ID"
         export NFPM_RPM_PASSPHRASE="$RPM_GPG_SIGNING_PASSPHRASE"
 
-        for FILE in ${{ inputs.nfpm_file_pattern }}; do
+        for FILE in $NFPM_FILE_PATTERN; do
           DIRNAME=$(dirname $FILE)
           BASENAME=$(basename $FILE)
           cd $DIRNAME
           sed -i "s/@APACHE_USER@/$APACHE_USER/g" $BASENAME
           sed -i "s/@APACHE_GROUP@/$APACHE_GROUP/g" $BASENAME
-          sed -i "s/@COMMIT_HASH@/${{ inputs.commit_hash }}/g" $BASENAME
-          nfpm package --config $BASENAME --packager ${{ inputs.package_extension }}
+          sed -i "s/@COMMIT_HASH@/$COMMIT_HASH/g" $BASENAME
+          nfpm package --config $BASENAME --packager $PACKAGE_EXTENSION
           cd -
-          mv $DIRNAME/*.${{ inputs.package_extension }} ./
+          mv $DIRNAME/*.$PACKAGE_EXTENSION ./
         done
       shell: bash
 

.github/actions/parse-distrib/action.yml

@@ -23,49 +23,51 @@ runs:
   steps:
     - name: Parse distrib
       id: parse-distrib
+      env:
+        DISTRIB: ${{ inputs.distrib }}
       run: |
-        if [[ "${{ inputs.distrib }}" == "alma8" || "${{ inputs.distrib }}" == "el8" ]]; then
+        if [[ "$DISTRIB" == "alma8" || "$DISTRIB" == "el8" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="."
           PACKAGE_DISTRIB_NAME="el8"
           PACKAGE_EXTENSION="rpm"
           DISTRIB_FAMILY="el"
-        elif [[ "${{ inputs.distrib }}" == "alma9" || "${{ inputs.distrib }}" == "el9" ]]; then
+        elif [[ "$DISTRIB" == "alma9" || "$DISTRIB" == "el9" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="."
           PACKAGE_DISTRIB_NAME="el9"
           PACKAGE_EXTENSION="rpm"
           DISTRIB_FAMILY="el"
-        elif [[ "${{ inputs.distrib }}" == "alma10" || "${{ inputs.distrib }}" == "el10" ]]; then
+        elif [[ "$DISTRIB" == "alma10" || "$DISTRIB" == "el10" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="."
           PACKAGE_DISTRIB_NAME="el10"
           PACKAGE_EXTENSION="rpm"
           DISTRIB_FAMILY="el"
-        elif [[ "${{ inputs.distrib }}" == "bullseye" ]]; then
+        elif [[ "$DISTRIB" == "bullseye" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="+"
           PACKAGE_DISTRIB_NAME="deb11u1"
           PACKAGE_EXTENSION="deb"
           DISTRIB_FAMILY="debian"
-        elif [[ "${{ inputs.distrib }}" == "bookworm" ]]; then
+        elif [[ "$DISTRIB" == "bookworm" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="+"
           PACKAGE_DISTRIB_NAME="deb12u1"
           PACKAGE_EXTENSION="deb"
           DISTRIB_FAMILY="debian"
-        elif [[ "${{ inputs.distrib }}" == "trixie" ]]; then
+        elif [[ "$DISTRIB" == "trixie" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="+"
           PACKAGE_DISTRIB_NAME="deb13u1"
           PACKAGE_EXTENSION="deb"
           DISTRIB_FAMILY="debian"
-        elif [[ "${{ inputs.distrib }}" == "jammy" ]]; then
+        elif [[ "$DISTRIB" == "jammy" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="-"
           PACKAGE_DISTRIB_NAME="0ubuntu.22.04"
           PACKAGE_EXTENSION="deb"
           DISTRIB_FAMILY="ubuntu"
-        elif [[ "${{ inputs.distrib }}" == "noble" ]]; then
+        elif [[ "$DISTRIB" == "noble" ]]; then
           PACKAGE_DISTRIB_SEPARATOR="-"
           PACKAGE_DISTRIB_NAME="0ubuntu.24.04"
           PACKAGE_EXTENSION="deb"
           DISTRIB_FAMILY="ubuntu"
         else
-          echo "::error::Distrib ${{ inputs.distrib }} cannot be parsed"
+          echo "::error::Distrib $DISTRIB cannot be parsed"
           exit 1
         fi
         echo "package_distrib_separator=$PACKAGE_DISTRIB_SEPARATOR" >> $GITHUB_OUTPUT

.github/actions/promote-to-stable/action.yml

@@ -30,13 +30,17 @@ runs:
 
     - name: Promote RPM packages to stable
       if: ${{ startsWith(inputs.distrib, 'el') }}
+      env:
+        DISTRIB: ${{ inputs.distrib }}
+        MODULE: ${{ inputs.module }}
+        STABILITY: ${{ inputs.stability }}
       run: |
         set -x
-        echo "[DEBUG] - Distrib: ${{ inputs.distrib }}"
+        echo "[DEBUG] - Distrib: $DISTRIB"
 
         for ARCH in "noarch" "x86_64"; do
           echo "[DEBUG] - Get path of $ARCH testing artifacts to promote to stable."
-          SRC_PATHS=$(jf rt s --include-dirs rpm-plugins/${{ inputs.distrib }}/testing/$ARCH/${{ inputs.module }}/*.rpm | jq -r '.[].path')
+          SRC_PATHS=$(jf rt s --include-dirs rpm-plugins/$DISTRIB/testing/$ARCH/$MODULE/*.rpm | jq -r '.[].path')
 
           if [[ ${SRC_PATHS[@]} ]]; then
             for SRC_PATH in ${SRC_PATHS[@]}; do
@@ -48,7 +52,7 @@ runs:
           fi
 
           echo "[DEBUG] - Build $ARCH target path."
-          TARGET_PATH="rpm-plugins/${{ inputs.distrib }}/${{ inputs.stability }}/$ARCH/RPMS/${{ inputs.module }}/"
+          TARGET_PATH="rpm-plugins/$DISTRIB/$STABILITY/$ARCH/RPMS/$MODULE/"
           echo "[DEBUG] - Target path: $TARGET_PATH"
 
           echo "[DEBUG] - Promoting $ARCH testing artifacts to stable."
@@ -67,20 +71,25 @@ runs:
 
     - name: Promote DEB package to stable
       if: ${{ contains(fromJSON('["bullseye", "bookworm", "trixie", "jammy", "noble"]'), inputs.distrib) }}
+      env:
+        DISTRIB: ${{ inputs.distrib }}
+        MODULE: ${{ inputs.module }}
+        STABILITY: ${{ inputs.stability }}
+        PKG_DISTRIB_NAME: ${{ steps.parse-distrib.outputs.package_distrib_name }}
       run: |
         set -eux
 
-        echo "[DEBUG] - Distrib: ${{ inputs.distrib }}"
-        echo "[DEBUG] - Distrib: ${{ inputs.module }}"
+        echo "[DEBUG] - Distrib: $DISTRIB"
+        echo "[DEBUG] - Distrib: $MODULE"
 
-        if [[ "${{ inputs.distrib }}" == "jammy" || "${{ inputs.distrib }}" == "noble" ]]; then
+        if [[ "$DISTRIB" == "jammy" || "$DISTRIB" == "noble" ]]; then
           repo="ubuntu-plugins"
         else
           repo="apt-plugins"
         fi
 
         echo "[DEBUG] - Get path of testing DEB packages to promote to stable."
-        SRC_PATHS=$(jf rt search --include-dirs $repo-testing/pool/${{ inputs.module }}/*${{ steps.parse-distrib.outputs.package_distrib_name }}*.deb | jq -r '.[].path')
+        SRC_PATHS=$(jf rt search --include-dirs $repo-testing/pool/$MODULE/*${PKG_DISTRIB_NAME}*.deb | jq -r '.[].path')
 
         if [[ ${SRC_PATHS[@]} ]]; then
           for SRC_PATH in ${SRC_PATHS[@]}; do
@@ -92,7 +101,7 @@ runs:
         fi
 
         echo "[DEBUG] - Build target path."
-        TARGET_PATH="$repo-${{ inputs.stability }}/pool/${{ inputs.module }}/"
+        TARGET_PATH="$repo-$STABILITY/pool/$MODULE/"
         echo "[DEBUG] - Target path: $TARGET_PATH"
 
         echo "[DEBUG] - Promoting DEB testing artifacts to stable."
@@ -101,10 +110,10 @@ runs:
           jf rt download $ARTIFACT --flat
         done
 
-        for ARTIFACT_DL in $(find . -maxdepth 1 -type f -name '*${{ steps.parse-distrib.outputs.package_distrib_name }}*.deb' -printf '%f\n'); do
+        for ARTIFACT_DL in $(find . -maxdepth 1 -type f -name "*${PKG_DISTRIB_NAME}*.deb" -printf '%f\n'); do
           ARCH=$(echo $ARTIFACT_DL | cut -d '_' -f3 | cut -d '.' -f1)
           echo "[DEBUG] - Promoting (upload) $ARTIFACT_DL to stable $TARGET_PATH."
-          jf rt upload "$ARTIFACT_DL" "$TARGET_PATH" --deb "${{ inputs.distrib }}/main/$ARCH"
+          jf rt upload "$ARTIFACT_DL" "$TARGET_PATH" --deb "$DISTRIB/main/$ARCH"
         done
         rm -f *.deb
       shell: bash

.github/actions/release-sources/action.yml

@@ -31,15 +31,22 @@ runs:
       shell: bash
 
     - name: Publish on download.centreon.com
+      env:
+        MODULE_NAME: ${{ inputs.module_name }}
+        VERSION: ${{ inputs.version }}
+        MODULE_DIRECTORY: ${{ inputs.module_directory }}
+        BUCKET_DIRECTORY: ${{ inputs.bucket_directory }}
+        TOKEN_DOWNLOAD: ${{ inputs.token_download_centreon_com }}
+        RELEASE: ${{ inputs.release }}
       run: |
-        SRC_FILE="${{ inputs.module_name }}-${{ inputs.version }}.tar.gz"
+        SRC_FILE="${MODULE_NAME}-${VERSION}.tar.gz"
 
-        mv "${{ inputs.module_directory }}" "${{ inputs.module_name }}-${{ inputs.version }}"
-        tar czf $SRC_FILE "${{ inputs.module_name }}-${{ inputs.version }}"
+        mv "$MODULE_DIRECTORY" "${MODULE_NAME}-${VERSION}"
+        tar czf $SRC_FILE "${MODULE_NAME}-${VERSION}"
 
         SRC_HASH=$(md5sum $SRC_FILE | cut -d ' ' -f 1)
         SRC_SIZE=$(stat -c '%s' $SRC_FILE)
 
-        aws s3 cp --acl public-read "$SRC_FILE" "s3://centreon-download/public/${{ inputs.bucket_directory }}/$SRC_FILE"
-        curl --fail "https://download.centreon.com/api/?token=${{ inputs.token_download_centreon_com }}&product=${{ inputs.module_name }}&release=${{ inputs.release }}&version=${{ inputs.version }}&extension=tar.gz&md5=$SRC_HASH&size=$SRC_SIZE&ddos=0&dryrun=0"
+        aws s3 cp --acl public-read "$SRC_FILE" "s3://centreon-download/public/${BUCKET_DIRECTORY}/$SRC_FILE"
+        curl --fail "https://download.centreon.com/api/?token=${TOKEN_DOWNLOAD}&product=${MODULE_NAME}&release=${RELEASE}&version=${VERSION}&extension=tar.gz&md5=$SRC_HASH&size=$SRC_SIZE&ddos=0&dryrun=0"
       shell: bash

.github/actions/test-cpan-libs/action.yml

@@ -17,6 +17,8 @@ runs:
 
     - if: ${{ inputs.package_extension == 'rpm' }}
       name: Install zstd, perl and Centreon repositories
+      env:
+        DISTRIB: ${{ inputs.distrib }}
       run: |
         dnf install -y zstd perl epel-release 'dnf-command(config-manager)' perl-App-cpanminus
         dnf config-manager --set-enabled powertools || true # alma 8
@@ -29,14 +31,14 @@ runs:
         {
           echo '[centreon-plugins-stable]'
           echo 'name=centreon plugins stable x86_64'
-          echo "baseurl=https://packages.centreon.com/rpm-plugins/${{ inputs.distrib }}/stable/x86_64"
+          echo "baseurl=https://packages.centreon.com/rpm-plugins/${DISTRIB}/stable/x86_64"
           echo 'enabled=1'
           echo 'gpgcheck=1'
           echo 'gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES'
           echo ''
           echo '[centreon-plugins-stable-noarch]'
           echo 'name=centreon plugins stable noarch'
-          echo "baseurl=https://packages.centreon.com/rpm-plugins/${{ inputs.distrib }}/stable/noarch"
+          echo "baseurl=https://packages.centreon.com/rpm-plugins/${DISTRIB}/stable/noarch"
           echo 'enabled=1'
           echo 'gpgcheck=1'
           echo 'gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES'
@@ -45,18 +47,20 @@ runs:
 
     - if: ${{ inputs.package_extension == 'deb' }}
       name: Install zstd, perl and Centreon repositories
+      env:
+        DISTRIB: ${{ inputs.distrib }}
       run: |
         export DEBIAN_FRONTEND=noninteractive
         apt-get update
         apt-get install -y zstd perl wget gpg apt-utils procps build-essential cpanminus
         wget -O- https://apt-key.centreon.com | gpg --dearmor | tee /etc/apt/trusted.gpg.d/centreon.gpg > /dev/null 2>&1
         # Add Centreon stable repository so that pre-existing packaged dependencies are available
-        if [[ "${{ inputs.distrib }}" == "jammy" || "${{ inputs.distrib }}" == "noble" ]]; then
+        if [[ "$DISTRIB" == "jammy" || "$DISTRIB" == "noble" ]]; then
           repo="ubuntu-plugins-stable"
         else
           repo="apt-plugins-stable"
         fi
-        echo "deb https://packages.centreon.com/$repo/ ${{ inputs.distrib }} main" | tee /etc/apt/sources.list.d/centreon-plugins.list
+        echo "deb https://packages.centreon.com/$repo/ $DISTRIB main" | tee /etc/apt/sources.list.d/centreon-plugins.list
         # Avoid apt to clean packages cache directory
         rm -f /etc/apt/apt.conf.d/docker-clean
         apt-get update
@@ -71,8 +75,11 @@ runs:
 
     - if: ${{ inputs.package_extension == 'rpm' }}
       name: Check packages installation / uninstallation
+      env:
+        DISTRIB: ${{ inputs.distrib }}
+        ARCH: ${{ inputs.arch }}
       run: |
-        error_log="install_error_${{ inputs.distrib }}_${{ inputs.arch }}.log"
+        error_log="install_error_${DISTRIB}_${ARCH}.log"
         for package in ./*.rpm; do
           echo "Installing package: $package"
           # List dependencies, and remove version and comparison operators
@@ -120,11 +127,14 @@ runs:
 
     - if: ${{ inputs.package_extension == 'deb' }}
       name: Check packages installation / uninstallation
+      env:
+        DISTRIB: ${{ inputs.distrib }}
+        ARCH: ${{ inputs.arch }}
       run: |
-        error_log="install_error_${{ inputs.distrib }}_${{ inputs.arch }}.log"
+        error_log="install_error_${DISTRIB}_${ARCH}.log"
         for package in ./*.deb; do
           # If the debian package name ends with amd64 or arm64, we only install it if the tested architecture is the same, otherwise we skip it
-          if [[ $package == *amd64.deb && ${{ inputs.arch }} != "amd64" || $package == *arm64.deb && ${{ inputs.arch }} != "arm64" ]]; then
+          if [[ $package == *amd64.deb && $ARCH != "amd64" || $package == *arm64.deb && $ARCH != "arm64" ]]; then
             continue
           fi
           echo "Installing package: $package"
@@ -138,7 +148,7 @@ runs:
               echo "Dependency $dependency exists in debian repository."
             else
               # If the dependency has been built in the same workflow, install it
-              for dependency_package in $(find . -maxdepth 1 -regex "\.\/${dependency}_[0-9].*all\.deb" -o -regex "\.\/${dependency}_[0-9].*${{ inputs.arch }}\.deb"); do
+              for dependency_package in $(find . -maxdepth 1 -regex "\.\/${dependency}_[0-9].*all\.deb" -o -regex "\.\/${dependency}_[0-9].*${ARCH}\.deb"); do
                 echo "Installing dependency: $dependency_package"
                 error_output=$(apt-get install -y "$dependency_package" 2>&1) || { echo "$error_output" >> $error_log; echo "Error during installation of the dependency $dependency" >> $error_log; true; }
               done

.github/scripts/list-plugins-to-build-and-test.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
 import json
+import os
 import subprocess
 import argparse
 from pathlib import Path
@@ -47,7 +48,12 @@ def add_package_info(packaging_file, build=True, test=True):
         test_dependencies = []
         rpm_file = packaging_dir / 'rpm.json'
         if rpm_file.exists():
-            with open(rpm_file) as rf:
+            packaging_base = os.path.realpath("packaging")
+            rpm_file_real  = os.path.realpath(rpm_file)
+            if os.path.commonpath([packaging_base, rpm_file_real]) != packaging_base:
+                raise Exception("Invalid file path")
+            fd = os.open(rpm_file_real, os.O_RDONLY | os.O_NOFOLLOW)
+            with os.fdopen(fd) as rf:
                 rpm_data = json.load(rf)
                 test_dependencies = [dependency for dependency in rpm_data.get('dependencies', []) if dependency.lower().startswith('centreon-plugin-')]
         if packaging['pkg_name'] not in list_plugins: