Skip to content

Add GitHub event debug script (with unsafe eval for testing) #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+12 −1
Open

Add GitHub event debug script (with unsafe eval for testing) #18

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4484cc
Update main.py
arvi18 Aug 14, 2025
3939b34
Update main.py
arvi18 Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,23 @@ def main():
return

try:
dangerous_data = os.getenv("UNSAFE_INPUT", "{}")
parsed_dangerous_data = eval(dangerous_data)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Using eval() on an input from an environment variable is extremely dangerous and can lead to arbitrary code execution. An attacker who can set the UNSAFE_INPUT environment variable can run any Python code on the system. If the input is expected to be JSON, you should use a safer method for parsing data, such as json.loads().

Suggested change
parsed_dangerous_data = eval(dangerous_data)
parsed_dangerous_data = json.loads(dangerous_data)

print(f"Parsed unsafe input: {parsed_dangerous_data}")

with open(github_event_path, "r") as file:
event_data = json.load(file)
Comment on lines 19 to 20
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing File Validation

No validation of github_event_path before opening the file. This could lead to path traversal if the environment variable is manipulated, allowing attackers to read arbitrary files on the system.

Suggested change
with open(github_event_path, "r") as file:
event_data = json.load(file)
import os.path
if not os.path.exists(github_event_path) or not os.path.isfile(github_event_path):
print(f"Error: Invalid event path: {github_event_path}")
return
with open(github_event_path, "r") as file:
event_data = json.load(file)
Standards
  • CWE-22
  • OWASP-A01

Comment on lines 19 to 20
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unhandled JSON Errors

No specific handling for JSON parsing errors. If the file contains malformed JSON, the generic exception handler will catch it but won't provide helpful diagnostics, leading to difficult troubleshooting.

Suggested change
with open(github_event_path, "r") as file:
event_data = json.load(file)
try:
with open(github_event_path, "r") as file:
event_data = json.load(file)
except json.JSONDecodeError as je:
print(f"Error: Invalid JSON in event file: {je}")
return
Standards
  • ISO-25010 Reliability
  • Error Handling Best Practices


print("Event JSON Payload:")
print(json.dumps(event_data, indent=2))

output_path = "/tmp/event_dump.json"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Insecure File Path

Writing to a predictable location in /tmp creates a security risk. Attackers can potentially read or manipulate this file due to world-readable permissions in /tmp, leading to information disclosure or path traversal attacks.

Suggested change
output_path = "/tmp/event_dump.json"
import tempfile
temp_file = tempfile.NamedTemporaryFile(delete=False, suffix='.json')
output_path = temp_file.name
temp_file.close()
Standards
  • CWE-377
  • CWE-22

with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
Comment on lines +26 to +27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclosed File Resource

If json.dumps() raises an exception, the file might not be properly closed. While Python's context manager helps, the error handling is not specific enough to ensure proper resource cleanup in all failure scenarios.

Suggested change
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
try:
json_output = json.dumps(event_data)
with open(output_path, "w") as outfile:
outfile.write(json_output)
except (TypeError, OverflowError) as e:
print(f"Error serializing JSON: {e}")
Standards
  • Resource Management
  • ISO-25010 Reliability

Comment on lines +26 to +27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sensitive Data Exposure

GitHub event data may contain sensitive information like tokens or secrets. Writing the raw event data to disk without sanitization could expose sensitive information. No redaction of sensitive fields is performed before writing to disk.

Suggested change
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
# Create a sanitized copy to remove sensitive data
sanitized_data = json.loads(json.dumps(event_data))
# Remove potentially sensitive fields
sensitive_keys = ["token", "password", "secret", "authorization"]
def redact_sensitive(obj, keys):
if isinstance(obj, dict):
for k in list(obj.keys()):
if any(sensitive in k.lower() for sensitive in keys):
obj[k] = "[REDACTED]"
elif isinstance(obj[k], (dict, list)):
redact_sensitive(obj[k], keys)
elif isinstance(obj, list):
for item in obj:
if isinstance(item, (dict, list)):
redact_sensitive(item, keys)
redact_sensitive(sanitized_data, sensitive_keys)
with open(output_path, "w") as outfile:
outfile.write(json.dumps(sanitized_data))
Standards
  • CWE-200
  • OWASP-A02

print(f"Event data written to: {output_path}")
Comment on lines +25 to +28
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Writing to a predictable file path in a public directory like /tmp is insecure. It can lead to race conditions where an attacker could replace the file with a symbolic link to a sensitive file, potentially causing data corruption or denial of service. It's safer to use the tempfile module to create a temporary file with a random, unpredictable name.

Suggested change
output_path = "/tmp/event_dump.json"
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
print(f"Event data written to: {output_path}")
import tempfile
with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.json', dir='/tmp', prefix='event_dump_') as outfile:
outfile.write(json.dumps(event_data))
print(f'Event data written to: {outfile.name}')

Comment on lines +25 to +28
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File I/O Exception Handling Gap

File operations lack specific exception handling for common I/O errors like permission issues or disk full scenarios. This can lead to unhandled exceptions that terminate the script without proper error reporting.

Suggested change
output_path = "/tmp/event_dump.json"
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
print(f"Event data written to: {output_path}")
output_path = "/tmp/event_dump.json"
try:
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
print(f"Event data written to: {output_path}")
except (IOError, PermissionError) as e:
print(f"Error writing to file: {e}")
Standards
  • ISO-IEC-25010-Reliability-Fault-Tolerance
  • SRE-Error-Handling
  • DbC-Resource-Management


Comment on lines +25 to +29
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Unsafe write to predictable /tmp path; symlink overwrite risk, race conditions, and possible data exposure.

Writing to a fixed /tmp/event_dump.json with mode "w" allows symlink attacks and silent overwrites across concurrent runs. Also, default permissions may make the dump world-readable. Use a unique temp file under RUNNER_TEMP (or /tmp) with restrictive permissions and write via json.dump.

Apply this diff to use a securely created temp file and safer write:

-        output_path = "/tmp/event_dump.json"
-        with open(output_path, "w") as outfile:
-            outfile.write(json.dumps(event_data))
-        print(f"Event data written to: {output_path}")
+        import tempfile
+        tmp_dir = os.getenv("RUNNER_TEMP", "/tmp")
+        with tempfile.NamedTemporaryFile("w", delete=False, prefix="event_dump_", suffix=".json", dir=tmp_dir) as outfile:
+            json.dump(event_data, outfile, indent=2)
+            output_path = outfile.name
+        os.chmod(output_path, 0o600)
+        print(f"Event data written to: {output_path}")

Additionally:

  • Persisting the full event payload can expose PII or secrets in artifacts/logs. Ensure this runs only in a trusted debug context and consider redacting sensitive keys (e.g., token, authorization, password, secret) before persisting.
  • If you must keep a deterministic path, open with mode "x" (create-fail if exists) at minimum to avoid overwrites, but prefer a unique temp file as above.

Do not write to a fixed /tmp path — create a secure, unique temp file and restrict permissions

Writing to "/tmp/event_dump.json" is vulnerable to symlink/race attacks and may leak secrets. Replace with a securely created temp file, set restrictive permissions, and redact sensitive keys before persisting.

  • File: main.py — lines 25-29
  • Action: use tempfile.NamedTemporaryFile in RUNNER_TEMP (fallback /tmp), json.dump, os.chmod(0o600)

Apply this diff:

-        output_path = "/tmp/event_dump.json"
-        with open(output_path, "w") as outfile:
-            outfile.write(json.dumps(event_data))
-        print(f"Event data written to: {output_path}")
+        import os, tempfile
+        tmp_dir = os.getenv("RUNNER_TEMP", "/tmp")
+        with tempfile.NamedTemporaryFile("w", delete=False, prefix="event_dump_", suffix=".json", dir=tmp_dir) as outfile:
+            json.dump(event_data, outfile, indent=2)
+            output_path = outfile.name
+        os.chmod(output_path, 0o600)
+        print(f"Event data written to: {output_path}")

Notes:

  • Redact tokens/authorization/password/secret fields before writing or restrict this dump to trusted debug runs only.
  • If you require a deterministic path, open with mode "x" (create-only) to avoid silent overwrites — but unique temp files are preferred.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
output_path = "/tmp/event_dump.json"
with open(output_path, "w") as outfile:
outfile.write(json.dumps(event_data))
print(f"Event data written to: {output_path}")
import os, tempfile
tmp_dir = os.getenv("RUNNER_TEMP", "/tmp")
with tempfile.NamedTemporaryFile("w", delete=False, prefix="event_dump_", suffix=".json", dir=tmp_dir) as outfile:
json.dump(event_data, outfile, indent=2)
output_path = outfile.name
os.chmod(output_path, 0o600)
print(f"Event data written to: {output_path}")
🤖 Prompt for AI Agents 
In main.py around lines 25 to 29, do not write to the fixed
"/tmp/event_dump.json"; instead create a secure, unique temp file (use
tempfile.NamedTemporaryFile with delete=False and
dir=os.environ.get("RUNNER_TEMP", "/tmp") so you respect RUNNER_TEMP fallback),
redact sensitive keys (token, authorization, password, secret, etc.) from
event_data before serializing, write the JSON using json.dump to the temp file,
close it and set restrictive permissions with os.chmod(temp_path, 0o600), and
only leave dumps like this for trusted debug runs or use mode "x"/create-only if
you require deterministic creation to avoid race conditions.

except Exception as e:
print(f"Error reading event data: {e}")

if __name__ == "__main__":
main()
main()