feat: Add directory input to Maven builder (#2538)

AdamKorcz · laurentsimon · web-flow · commit 324ff12a1e3b · 2023-08-15T18:25:21.000Z
Adds another `input` for the Maven builder to allow the user to specify the project directory. The current problem this solves is to make slsa-framework/example-package#253 work. This was suggested by @laurentsimon in slsa-framework/example-package#253 (comment) --------- Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
diff --git a/.github/workflows/builder_maven_slsa3.yml b/.github/workflows/builder_maven_slsa3.yml
@@ -27,6 +27,11 @@ on:
         required: false
         default: 17
         type: number
+      directory:
+        description: "Sub-directory to launch the build from. Must be under the workspace. Relative from the root of the file directory when invoking the builder."
+        required: false
+        type: string
+        default: "."
 
     outputs:
       provenance-name:
diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml
@@ -68,12 +68,41 @@ runs:
       shell: bash
       env:
         SLSA_OUTPUTS_ARTIFACTS_FILE: ${{ inputs.slsa-layout-file }}
+        UNTRUSTED_PROJECT_ROOT: ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
       run: |
+        # Ensure no directory traversal.
+        # NOTE: the actions/download-artifact Action only creates files
+        # in the workspace directory, but this may change in the future.
+        # TODO(#1893): Consolidate directory traversal checks
+        validate_path() {
+          untrusted_path=$1
+          resolved_dir=$(readlink -m "$untrusted_path")
+          wd=$(readlink -m "${GITHUB_WORKSPACE}")
+          if [[ "${resolved_dir}" != "${wd}"/* ]] && [[ "${resolved_dir}" != "${wd}" ]]; then
+            if [[ "${RUNNER_TEMP}" != "" ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}"/* ]] && [[ "${resolved_dir}" != "${RUNNER_TEMP}" ]]; then
+              if [[ "${resolved_dir}" != /tmp/* ]] && [[ "${resolved_dir}" != "/tmp" ]]; then
+                echo "Path is not in the workspace or temp directory: $untrusted_path"
+                exit 1
+              fi
+            fi
+          fi
+        }
+
+        validate_path "${UNTRUSTED_PROJECT_ROOT}"
+
+        # remove trailing "/"'s with `realpath`
+        project_root=$(realpath "${UNTRUSTED_PROJECT_ROOT}")
+
         mv ./__BUILDER_CHECKOUT_DIR__ ../__BUILDER_CHECKOUT_DIR__ \
           && cd ../__BUILDER_CHECKOUT_DIR__/actions/maven/publish/slsa-hashing-plugin \
           && mvn clean install \
           && cd - \
+          && cd "${project_root}" \
           && mvn package  -Drun.hash.jarfile=true
+        # NOTE: SLSA_OUTPUTS_ARTIFACTS_FILE is a relative path and the project_root may
+        # not be in GITHUB_WORKSPACE, so we need to move the file.
+        mv $(dirname "${SLSA_OUTPUTS_ARTIFACTS_FILE}") "${GITHUB_WORKSPACE}/../"
+        mv target "${GITHUB_WORKSPACE}/"
     - name: Upload target
       id: upload-target
       uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
