Pass untrusted input via env vars (#21)

Author: esphen

.github/workflows/run-terraform.yml

@@ -115,11 +115,13 @@ jobs:
     # Checks that all Terraform configuration files adhere to a canonical format
     - name: Terraform Format
       id: format
+      env:
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
       run: |
         echo 'Run format check' | tee -a $GITHUB_STEP_SUMMARY
         terraform fmt -check -no-color || { echo '
         FAILURE! The above files are not properly formatted.
-        Run `terraform fmt` in ${{ inputs.working_directory }}, commit the changed files and push to fix the issue' | tee -a $GITHUB_STEP_SUMMARY ; exit 1; }
+        Run `terraform fmt` in $WORKING_DIRECTORY, commit the changed files and push to fix the issue' | tee -a $GITHUB_STEP_SUMMARY ; exit 1; }
 
   terraform_plan:
     name: Terraform Plan
@@ -170,7 +172,9 @@ jobs:
 
     - name: Authenticate with Kubernetes
       if: inputs.kubernetes_cluster != ''
-      run: gcloud container hub memberships get-credentials ${{ inputs.kubernetes_cluster }} --verbosity debug
+      env:
+        KUBERNETES_CLUSTER: ${{ inputs.kubernetes_cluster }}
+      run: gcloud container hub memberships get-credentials $KUBERNETES_CLUSTER --verbosity debug
 
     - name: Authenticate with Vault
       if: inputs.vault_role != ''
@@ -188,9 +192,11 @@ jobs:
 
     - name: Terraform Plan
       id: plan
+      env:
+        ENV: ${{ inputs.environment }}
       run: |
         # 1. Run and send stdout to build log as usual
-        terraform plan ${{ inputs.terraform_options }} -input=false -no-color -detailed-exitcode -out=plan-${{ inputs.environment }}.tfplan | tee output.txt
+        terraform plan ${{ inputs.terraform_options }} -input=false -no-color -detailed-exitcode -out=plan-$ENV.tfplan | tee output.txt
 
         # 2. Remove some github commands and fluff
         STDOUT="$(sed '/^::/d' output.txt | grep -v 'Refreshing state...')"
@@ -201,19 +207,13 @@ jobs:
         ${STDOUT}
         \`\`\`
         EOF
- 
-        # 4. Sanitize string for when it is injected into js template string later
-        # Sanitize ` into \`
-        STDOUT="${STDOUT//\`/'\`'}"
-        # Sanitize ${} into \${}
-        STDOUT="${STDOUT//\${/'\${'}"
-
-        # 5. Serialize into single-line string for transfer using outputs that only support single line
+
+        # 4. Serialize into single-line string for transfer using outputs that only support single line
         STDOUT="${STDOUT//'%'/'%25'}"
         STDOUT="${STDOUT//$'\n'/'%0A'}"
         STDOUT="${STDOUT//$'\r'/'%0D'}"
 
-        # 6. Write output 
+        # 5. Write output 
         echo "stdout=$STDOUT" >> $GITHUB_OUTPUT
 
     - name: Upload Plan Artifact
@@ -237,6 +237,18 @@ jobs:
     steps:
     - name: Update Pull Request
       uses: actions/github-script@v6
+      env:
+        # Passing via env vars to sanitize untrusted inputs
+        ENV: ${{ inputs.environment }}
+        PLAN_EXITCODE: ${{ needs.terraform_plan.outputs.plan_exitcode }}
+        DEPLOY_ON: ${{ inputs.deploy_on }}
+        VALIDATE_OUTPUT: ${{ needs.terraform_check.outputs.validate_stdout }}
+        PLAN_OUTPUT: ${{ needs.terraform_plan.outputs.plan_stdout }}
+        FORMAT_OUTCOME: ${{ needs.terraform_check.outputs.format_outcome }}
+        INIT_OUTCOME: ${{ needs.terraform_plan.outputs.init_outcome }}
+        VALIDATE_OUTCOME: ${{ needs.terraform_check.outputs.validate_outcome }}
+        PLAN_OUTCOME: ${{ needs.terraform_plan.outputs.plan_outcome }}
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         script: |
@@ -246,6 +258,19 @@ jobs:
             repo: context.repo.repo
           });
 
+          const {
+            ENV,
+            PLAN_EXITCODE,
+            DEPLOY_ON,
+            VALIDATE_OUTPUT,
+            PLAN_OUTPUT,
+            FORMAT_OUTCOME,
+            INIT_OUTCOME,
+            VALIDATE_OUTCOME,
+            PLAN_OUTCOME,
+            WORKING_DIRECTORY,
+          } = process.env;
+
           /* Body is in the format of
           * <!-- @run-terraform -->
           * <!-- @run-terraform:start:jobid -->
@@ -256,47 +281,47 @@ jobs:
           const comment = comments.find(({ body }) => body.startsWith(bodyStartMarker));
           const id = comment?.id;
           let commentBody = comment?.body ?? bodyStartMarker;
-          const bodyHasJobInfo = commentBody.includes('<!-- @run-terraform:start:${{ inputs.environment }} -->');
+          const bodyHasJobInfo = commentBody.includes(`<!-- @run-terraform:start:${ENV} -->`);
 
-          const exitcode = '${{ needs.terraform_plan.outputs.plan_exitcode }}';
+          const exitcode = PLAN_EXITCODE;
           const action = {
             0: 'No changes detected. Will not run Terraform apply job',
             1: 'An error occured! Will not run Terraform apply job',
-            2: 'Changes detected. Will run Terraform apply job on merge to ${{ inputs.deploy_on }}'
+            2: `Changes detected. Will run Terraform apply job on merge to ${DEPLOY_ON}`
           }[exitcode] ?? 'Terraform gave an unknown exit code, I don\'t know what happens next!';
           
-          const jobBody = `<!-- @run-terraform:start:${{ inputs.environment }} -->
-          ## Results for ${{ inputs.environment }} ${exitcode === '2' ? '– ❗ `CHANGED` ❗' : ''}
-          #### Terraform Format and Style 🖌 \`${{ needs.terraform_check.outputs.format_outcome }}\`
-          #### Terraform Initialization ⚙️ \`${{ needs.terraform_plan.outputs.init_outcome }}\`
-          #### Terraform Validation 🤖 \`${{ needs.terraform_check.outputs.validate_outcome }}\`
+          const jobBody = `<!-- @run-terraform:start:${ENV} -->
+          ## Results for ${ENV} ${exitcode === '2' ? '– ❗ `CHANGED` ❗' : ''}
+          #### Terraform Format and Style 🖌 \`${FORMAT_OUTCOME}\`
+          #### Terraform Initialization ⚙️ \`${INIT_OUTCOME}\`
+          #### Terraform Validation 🤖 \`${VALIDATE_OUTCOME}\`
           <details><summary>Validation Output</summary>
 
           \`\`\`\n
-          ${{ needs.terraform_check.outputs.validate_stdout }}
+          ${VALIDATE_OUTPUT}
           \`\`\`
 
           </details>
 
-          #### Terraform Plan 📖 \`${{ needs.terraform_plan.outputs.plan_outcome }}\`
+          #### Terraform Plan 📖 \`${PLAN_OUTCOME}\`
           
           <details><summary>Show Plan</summary>
           
           \`\`\`\n
-          ${{ needs.terraform_plan.outputs.plan_stdout }}
+          ${PLAN_OUTPUT}
           \`\`\`
           
           </details>
 
           #### Next action 🚀
           ${action}
           
-          *Pusher: @${{ github.actor }}, Working Directory: \`${{ inputs.working_directory }}\`, Commit: ${{ github.sha }}, Generated at: \`${new Date().toLocaleString('nb')}\`*
-          <!-- @run-terraform:end:${{ inputs.environment }} -->`;
+          *Pusher: @${{ github.actor }}, Working Directory: \`${WORKING_DIRECTORY}\`, Commit: ${{ github.sha }}, Generated at: \`${new Date().toLocaleString('nb')}\`*
+          <!-- @run-terraform:end:${ENV} -->`;
 
           if (bodyHasJobInfo) {
             commentBody = commentBody.replace(
-              /<!-- @run-terraform:start:${{ inputs.environment }} -->.*<!-- @run-terraform:end:${{ inputs.environment }} -->/s,
+              new RegExp(`<!-- @run-terraform:start:${ENV} -->.*<!-- @run-terraform:end:${ENV} -->`, 's'),
               jobBody,
             );
           } else {
@@ -365,7 +390,9 @@ jobs:
 
     - name: Authenticate with Kubernetes
       if: inputs.kubernetes_cluster != ''
-      run: gcloud container hub memberships get-credentials ${{ inputs.kubernetes_cluster }} --verbosity debug
+      env:
+        KUBERNETES_CLUSTER: ${{ inputs.kubernetes_cluster }}
+      run: gcloud container hub memberships get-credentials $KUBERNETES_CLUSTER --verbosity debug
 
     - name: Authenticate with Vault
       if: inputs.vault_role != ''
@@ -394,8 +421,10 @@ jobs:
 
     - name: Run Terraform
       if: inputs.destroy == false
+      env:
+        ENV: ${{ inputs.environment }}
       run: |
-        terraform apply -input=false plan-${{ inputs.environment }}.tfplan
+        terraform apply -input=false plan-$ENV.tfplan
 
   attest-deploy:
     if: inputs.image_url != '' && (inputs.environment == 'dev' || inputs.environment == 'test')
@@ -417,14 +446,16 @@ jobs:
 
       - name: Get Image Digest URL from Image Tag URL
         id: image-digest-url
+        env:
+          IMAGE_URL: ${{ inputs.image_url }}
         run: |
           # If image_url = registry/repository@digest
-          if [[ "${{inputs.image_url}}" == *"@"* ]] 
+          if [[ "$IMAGE_URL" == *"@"* ]] 
           then
-            image_digest_url="${{ inputs.image_url }}"
+            image_digest_url="$IMAGE_URL"
           else
             # Convert registry/repository:tag to registry/repository@digest
-            image_tag_url=${{ inputs.image_url }}
+            image_tag_url=$IMAGE_URL
             digest=$(docker manifest inspect $image_tag_url -v | jq -r .Descriptor.digest)
             base_image_url=${image_tag_url%:*}
             image_digest_url="${base_image_url}@${digest}"
@@ -433,8 +464,11 @@ jobs:
 
       - name: Check if already attested
         id: get-attestation
+        env:
+          ENV: ${{ inputs.env }}
+          PROJECT_ID: ${{ inputs.project_id }}
         run: |
-          attestation=$(gcloud container binauthz attestations list --project="${{ inputs.project_id }}" --attestor="projects/${{ inputs.project_id }}/attestors/Deploy-${{ inputs.environment }}" --artifact-url="${{ steps.image-digest-url.outputs.image_url }}")
+          attestation=$(gcloud container binauthz attestations list --project="$PROJECT_ID" --attestor="projects/$PROJECT_ID/attestors/Deploy-$ENV" --artifact-url="${{ steps.image-digest-url.outputs.image_url }}")
           attestationoutput=$(printf '%s' $attestation | jq --raw-input --slurp '.' --join-output)
           echo "::set-output name=attestation::$attestationoutput"
       
@@ -443,15 +477,19 @@ jobs:
         id: attest-deploy
         # Note: msg is an empty string when no attestation is done
         if: steps.get-attestation.outputs.attestation == ''
+        env:
+          ENV: ${{ inputs.env }}
+          PROJECT_ID: ${{ inputs.project_id }}
+          IMAGE_URL: ${{ steps.image-digest-url.outputs.image_url }}
         run: |
           gcloud beta container binauthz attestations sign-and-create \
-            --project="${{ inputs.project_id }}" \
-            --artifact-url="${{ steps.image-digest-url.outputs.image_url }}" \
-            --attestor="Deploy-${{ inputs.environment }}" \
-            --attestor-project="${{ inputs.project_id }}" \
-            --keyversion-project="${{ inputs.project_id }}" \
+            --project="$PROJECT_ID" \
+            --artifact-url="$IMAGE_URL" \
+            --attestor="Deploy-$ENV" \
+            --attestor-project="$PROJECT_ID" \
+            --keyversion-project="$PROJECT_ID" \
             --keyversion-location="europe-north1" \
             --keyversion-keyring="Attestor-Keyring" \
-            --keyversion-key="Deploy-${{ inputs.environment }}-Key" \
+            --keyversion-key="Deploy-$ENV-Key" \
             --keyversion="1"
           echo Attestation succeded