From f55d5027114c1f3ace72f60bafaead62eb6be626 Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Mon, 11 Dec 2023 15:52:41 -0800 Subject: [PATCH] Add a security notice file to top-level .github directory --- .github/security-notice.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/security-notice.md diff --git a/.github/security-notice.md b/.github/security-notice.md new file mode 100644 index 000000000000..19ad672e7ddc --- /dev/null +++ b/.github/security-notice.md @@ -0,0 +1,22 @@ +# Github Workflows Security Notice + +Writing security workflows that can be accessed by third parties outside of your repository is inherently dangerous. There is a full list of vulnerabilities that you can subject yourself to when you enable external users to interact with your workflows. These vulnerabilities are well-described here: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions as well as detail on how to mitigate these risks. + +As a rule-of-thumb within the Karpenter workflows, we have chosen to always assign any input that _might_ come from a user in either a Github workflow or a composite action into environment variables any we are using a bash or javascript script as a step in the workflow or action. An example of this can be seen below: + +```yaml +- name: Save info about the review comment as an artifact for other workflows that run on workflow_run to download them + env: + # We store these values in environment variables to avoid bash script injection + # Specifically, it's important that we do this for github.event.review.body since this is user-controller input + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + REVIEW_BODY: ${{ github.event.review.body }} + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + COMMIT_ID: ${{ github.event.review.commit_id }} + run: | + mkdir -p /tmp/artifacts + { echo "$REVIEW_BODY"; echo "$PULL_REQUEST_NUMBER"; echo "$COMMIT_ID"; } >> /tmp/artifacts/metadata.txt + cat /tmp/artifacts/metadata.txt +``` + +Note that, when you are writing Github workflows or composite actions to ensure to follow this code-style to reduce the attack surface could result from attempted script injection to the workflows. \ No newline at end of file