chore(workflow): enhance artifact security with validation and sanitization (#5343)

alionazherdetska · web-flow · commit e64e71ead8b2 · 2025-05-08T15:00:11.000+02:00
## 📄 Description Add comprehensive validation and sanitization for artifact upload/download actions: - Validate folder existence and input formats - Sanitize event IDs and actions before output - Use temporary directories for safer operations - Improve error handling with clear messages ## 🚀 Demo If applicable, please add a screenshot or video to illustrate the changes. --- ## 📝 Checklist - ✅ My code follows the style guidelines of this project - 🛠️ I have performed a self-review of my own code - 📄 I have made corresponding changes to the documentation - ⚠️ My changes generate no new warnings or errors - 🧪 I have added tests that prove my fix is effective or that my feature works - ✔️ New and existing unit tests pass locally with my changes
diff --git a/.github/actions/artifact-download/action.yaml b/.github/actions/artifact-download/action.yaml
@@ -31,24 +31,59 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Create temporary directory
+      shell: bash
+      run: mkdir -p ${{ runner.temp }}/artifact_download
+
     - name: Download artifact
       uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295
       with:
         name: ${{ inputs.name }}
         run_id: ${{ github.event.workflow_run.id }}
         workflow_conclusion: success
+        path: ${{ runner.temp }}/artifact_download
 
+    - name: Ensure target directory exists
+      shell: bash
+      run: mkdir -p ${{ inputs.folder }}
+      
     - name: Unzip artifacts
       shell: bash
-      run: unzip artifacts.zip -d ${{ inputs.folder }}
+      run: unzip ${{ runner.temp }}/artifact_download/artifacts.zip -d ${{ inputs.folder }}
+
+    - name: Validate artifact contents
+      shell: bash
+      run: |
+        if [[ ! -f "${{ inputs.folder }}/GHA-EVENT-ID" ]]; then
+          echo "Error: Event ID file missing"
+          exit 1
+        fi
+        
+        if [[ ! -f "${{ inputs.folder }}/GHA-EVENT-ACTION" ]]; then
+          echo "Error: Event Action file missing"
+          exit 1
+        fi
+        
+        # Validate ID is numeric
+        EVENT_ID=$(cat ${{ inputs.folder }}/GHA-EVENT-ID)
+        if ! [[ "$EVENT_ID" =~ ^[0-9]*$ ]]; then
+          echo "Error: Invalid Event ID format"
+          exit 1
+        fi
 
     - name: Clean up
       shell: bash
-      run: rm -r artifacts.zip
+      run: rm -rf ${{ runner.temp }}/artifact_download
 
     - name: Create outputs
       id: build
       shell: bash
       run: |
-        echo "id=$(cat ${{ inputs.folder }}/GHA-EVENT-ID)" >> $GITHUB_OUTPUT
-        echo "action=$(cat ${{ inputs.folder }}/GHA-EVENT-ACTION)" >> $GITHUB_OUTPUT
+        EVENT_ID=$(cat ${{ inputs.folder }}/GHA-EVENT-ID)
+        EVENT_ACTION=$(cat ${{ inputs.folder }}/GHA-EVENT-ACTION)
+        
+        SANITIZED_ID=$(echo "$EVENT_ID" | tr -cd '[:digit:]')
+        SANITIZED_ACTION=$(echo "$EVENT_ACTION" | tr -cd '[:alnum:]-_')
+        
+        echo "id=$SANITIZED_ID" >> $GITHUB_OUTPUT
+        echo "action=$SANITIZED_ACTION" >> $GITHUB_OUTPUT
diff --git a/.github/actions/artifact-upload/action.yaml b/.github/actions/artifact-upload/action.yaml
@@ -20,11 +20,27 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Validate folder exists
+      shell: bash
+      run: |
+        if [[ ! -d "${{ inputs.folder }}" ]]; then
+          echo "Error: Folder ${{ inputs.folder }} does not exist"
+          exit 1
+        fi
+
     - name: Save Event Infos into the artifact folder
       shell: bash
       run: |
-        echo ${{ github.event.number }} > ${{ inputs.folder }}/GHA-EVENT-ID
-        echo ${{ github.event.action }} > ${{ inputs.folder }}/GHA-EVENT-ACTION
+        if ! [[ "${{ github.event.number }}" =~ ^[0-9]*$ ]]; then
+          echo "Warning: Invalid event number format, using default"
+          echo "0" > ${{ inputs.folder }}/GHA-EVENT-ID
+        else
+          echo "${{ github.event.number }}" > ${{ inputs.folder }}/GHA-EVENT-ID
+        fi
+        
+        ACTION="${{ github.event.action }}"
+        SANITIZED_ACTION=$(echo "$ACTION" | tr -cd '[:alnum:]-_')
+        echo "$SANITIZED_ACTION" > ${{ inputs.folder }}/GHA-EVENT-ACTION
 
     - name: Zip artifact folder
       shell: bash
