Skip to content

Commit 9af3e13

Browse files
deekay2310claude
andcommitted
fix: harden --ghactions-runner-image-repo input
- Quote the URL in snippet git clone commands to prevent shell injection - Add --depth=1 to limit clone exposure and speed up provisioning - Validate that only HTTPS URLs are accepted for the runner image repo Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent c9a4b05 commit 9af3e13

3 files changed

Lines changed: 20 additions & 3 deletions

File tree

cmd/mapt/cmd/params/params.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
package params
22

33
import (
4+
"fmt"
5+
"strings"
6+
47
"github.com/redhat-developer/mapt/pkg/integrations/cirrus"
58
"github.com/redhat-developer/mapt/pkg/integrations/github"
69
"github.com/redhat-developer/mapt/pkg/integrations/gitlab"
@@ -288,18 +291,32 @@ func AddGHActionsFlags(fs *pflag.FlagSet) {
288291

289292
func GithubRunnerArgs() *github.GithubRunnerArgs {
290293
if viper.IsSet(ghActionsRunnerToken) {
294+
imageRepo := viper.GetString(ghActionsRunnerImageRepo)
295+
if imageRepo != "" {
296+
if err := validateRunnerImageRepo(imageRepo); err != nil {
297+
logging.Errorf("invalid --ghactions-runner-image-repo: %v", err)
298+
return nil
299+
}
300+
}
291301
return &github.GithubRunnerArgs{
292302
Token: viper.GetString(ghActionsRunnerToken),
293303
RepoURL: viper.GetString(ghActionsRunnerRepo),
294304
Labels: viper.GetStringSlice(ghActionsRunnerLabels),
295305
Platform: &github.Linux,
296306
Arch: linuxArchAsGithubActionsArch(viper.GetString(LinuxArch)),
297-
RunnerImageRepo: viper.GetString(ghActionsRunnerImageRepo),
307+
RunnerImageRepo: imageRepo,
298308
}
299309
}
300310
return nil
301311
}
302312

313+
func validateRunnerImageRepo(repo string) error {
314+
if !strings.HasPrefix(repo, "https://") {
315+
return fmt.Errorf("only HTTPS URLs are allowed, got: %s", repo)
316+
}
317+
return nil
318+
}
319+
303320
func AddCirrusFlags(fs *pflag.FlagSet) {
304321
fs.StringP(cirrusPWToken, "", "", cirrusPWTokenDesc)
305322
fs.StringToStringP(cirrusPWLabels, "", nil, cirrusPWLabelsDesc)

pkg/integrations/github/snippet-linux-ppc64le.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/usr/bin/env bash
22
set -euo pipefail
33

4-
git clone {{ .RunnerImageRepo }} /opt/action-runner-image-pz
4+
git clone --depth=1 "{{ .RunnerImageRepo }}" /opt/action-runner-image-pz
55

66
cd /opt/action-runner-image-pz
77
bash -c '. scripts/vm.sh rhel 9 minimal --skip-snap-lxd'

pkg/integrations/github/snippet-linux-s390x.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#!/usr/bin/env bash
22
set -euo pipefail
33

4-
git clone {{ .RunnerImageRepo }} /opt/action-runner-image-pz
4+
git clone --depth=1 "{{ .RunnerImageRepo }}" /opt/action-runner-image-pz
55

66
cd /opt/action-runner-image-pz
77
bash -c '. scripts/vm.sh ubuntu 22.04 minimal --skip-snap-lxd'

0 commit comments

Comments
 (0)