Skip to content

Commit 26893c8

Browse files
khmMounakhmMouna
authored
Fix an issue with untrusted input (#1873)
* Fix an issue with untrusted input * feedback
1 parent f53b989 commit 26893c8

File tree

2 files changed

+53
-16
lines changed

2 files changed

+53
-16
lines changed

.github/workflows/deploy-docs-to-pages.yml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -34,26 +34,34 @@ jobs:
3434
steps:
3535
- name: Extract version
3636
id: extract_version
37+
env:
38+
VERSION: ${{ inputs.version }}
3739
run: |
38-
VERSION=${{ inputs.version }}
40+
set -euo pipefail
3941
MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
4042
echo "VERSION_DIR=v$MAJOR_VERSION" >> $GITHUB_ENV
4143
4244
- name: Download packaged docs artifacts
4345
id: download_docs
46+
env:
47+
VERSION: ${{ inputs.version }}
4448
uses: actions/download-artifact@v4
4549
with:
46-
name: packaged-docs-${{ inputs.version }}
50+
name: packaged-docs-$VERSION
4751
path: build/docs
4852

4953
- name: Extract documentation for GitHub Pages
5054
env:
5155
VERSION: ${{ inputs.version }}
5256
run: |
5357
# Verify the artifact was downloaded
54-
if [ ! -f "build/docs/$VERSION-kdoc.tar.gz" ]; then
58+
set -euo pipefail
59+
60+
DOC_PATH="build/docs/${VERSION}-kdoc.tar.gz"
61+
62+
if [ ! -f "$DOC_PATH" ]; then
5563
echo "Error: Documentation artifact not found!"
56-
echo "Expected: build/docs/$VERSION-kdoc.tar.gz"
64+
echo "Expected: $DOC_PATH"
5765
echo "Available files:"
5866
find build/docs -type f 2>/dev/null || echo "No build/docs directory found"
5967
exit 1
@@ -63,7 +71,7 @@ jobs:
6371
mkdir -p ./pages-docs
6472
6573
# Extract the tar.gz file
66-
tar -xzf build/docs/$VERSION-kdoc.tar.gz -C ./pages-docs
74+
tar -xzf "$DOC_PATH" -C ./pages-docs
6775
6876
# Verify extraction was successful
6977
if [ -z "$(ls -A ./pages-docs)" ]; then
@@ -77,10 +85,12 @@ jobs:
7785
7886
- name: Deploy to GitHub Pages
7987
uses: peaceiris/actions-gh-pages@v4
88+
env:
89+
VERSION: ${{ inputs.version }}
8090
with:
8191
github_token: ${{ secrets.GITHUB_TOKEN }}
8292
publish_branch: gh-pages
8393
publish_dir: ./pages-docs
84-
destination_dir: ${{ inputs.version }}
94+
destination_dir: $VERSION
8595
keep_files: true
8696
enable_jekyll: false

.github/workflows/publish-docs.yml

Lines changed: 37 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -27,19 +27,23 @@ jobs:
2727
# Download pre-packaged docs artifacts if they were published by the release workflow.
2828
- name: Download pre-packaged docs artifacts
2929
id: download_docs
30+
env:
31+
VERSION: ${{ inputs.version }}
3032
uses: actions/download-artifact@v4
3133
continue-on-error: true
3234
with:
33-
name: packaged-docs-${{ inputs.version }}
35+
name: packaged-docs-$VERSION
3436
path: build/docs
3537

3638
# Fallback to building if artifacts were not previously uploaded for the given version.
3739
# NOTE: All the steps below this point will be skipped if the download step succeeds.
3840
- name: Checkout repo to build docs
3941
if: ${{ steps.download_docs.outcome == 'failure' }}
42+
env:
43+
VERSION: ${{ inputs.version }}
4044
uses: actions/checkout@v4
4145
with:
42-
ref: refs/tags/${{ inputs.version }}
46+
ref: refs/tags/$VERSION
4347

4448
- name: Setup Java Version
4549
uses: actions/setup-java@v4
@@ -52,29 +56,46 @@ jobs:
5256

5357
- name: Copy CI gradle.properties
5458
if: ${{ steps.download_docs.outcome == 'failure' }}
59+
env:
60+
VERSION: ${{ inputs.version }}
5561
run: |
62+
set -euo pipefail
5663
mkdir -p ~/.gradle
5764
cp .github/ci-gradle.properties ~/.gradle/gradle.properties
5865
59-
- name: Verify Version
66+
- name: Verify Version (Gradle equality)
6067
if: ${{ steps.download_docs.outcome == 'failure' }}
68+
env:
69+
VERSION: ${{ inputs.version }}
6170
run: |
62-
VERSION=${{ inputs.version }}
63-
if [[ $(./gradlew -q getVersion) = $VERSION ]]; then exit 0 ; else exit 1; fi
71+
set -euo pipefail
72+
ACTUAL_VERSION=$(./gradlew -q getVersion)
73+
74+
if [[ "$ACTUAL_VERSION" != "$VERSION" ]]; then
75+
echo "Gradle version mismatch: expected '$VERSION', got '$ACTUAL_VERSION'" >&2
76+
exit 1
77+
fi
78+
79+
echo "Verified version matches Gradle: $VERSION"
6480
6581
- name: Build docs packages
6682
if: ${{ steps.download_docs.outcome == 'failure' }}
83+
env:
84+
VERSION: ${{ inputs.version }}
6785
run: |
86+
set -euo pipefail
6887
./gradlew packageDocs --stacktrace
6988
7089
- name: Upload packaged docs artifacts
7190
if: ${{ steps.download_docs.outcome == 'failure' }}
91+
env:
92+
VERSION: ${{ inputs.version }}
7293
uses: actions/upload-artifact@v4
7394
with:
74-
name: packaged-docs-${{ inputs.version }}
95+
name: packaged-docs-$VERSION
7596
retention-days: 1
7697
path: |
77-
build/docs/${{ inputs.version }}-kdoc.tar.gz
98+
build/docs/$VERSION-kdoc.tar.gz
7899
79100
upload-docs:
80101
if: github.repository == 'urbanairship/android-library'
@@ -84,15 +105,19 @@ jobs:
84105
# Docs should already be built and uploaded at this point, but we still need
85106
# this step in order for google-github-actions/auth to work in upload step.
86107
- name: Checkout repo
108+
env:
109+
VERSION: ${{ inputs.version }}
87110
uses: actions/checkout@v4
88111
with:
89-
ref: refs/tags/${{ inputs.version }}
112+
ref: refs/tags/$VERSION
90113

91114
- name: Download packaged docs artifacts
92115
id: download_docs
116+
env:
117+
VERSION: ${{ inputs.version }}
93118
uses: actions/download-artifact@v4
94119
with:
95-
name: packaged-docs-${{ inputs.version }}
120+
name: packaged-docs-$VERSION
96121
path: build/docs
97122

98123
- name: Setup GCP Auth
@@ -108,4 +133,6 @@ jobs:
108133
env:
109134
VERSION: ${{ inputs.version }}
110135
run: |
111-
gsutil cp build/docs/$VERSION-kdoc.tar.gz gs://ua-web-ci-prod-docs-transfer/libraries/android-kotlin/$VERSION.tar.gz
136+
set -euo pipefail
137+
gsutil cp "build/docs/${VERSION}-kdoc.tar.gz" \
138+
"gs://ua-web-ci-prod-docs-transfer/libraries/android-kotlin/${VERSION}.tar.gz"

0 commit comments

Comments
 (0)