Output hard to read #70
Comments
|
Same. Would it be possible to get the colors and other styling as on the command line? This single-line blob of text isn't easy to read 👇
|
|
Yeah, this output is looking terrible! This was introduced on PR #58 when fixing a security issue. I'll have a look to see if there's a way to show the results formatted while keeping command processing disabled 🤞 |
|
From |
|
@jdbruijn I believe it's a bit more complex than that. On the announcement of this issue, GitHub advised to disable command processing on any information that contains commit messages:
|
|
I understand that your idea is to just check if the messages contain the command start syntax ( |
|
I agree that it is what they advised, I was merely suggesting an alternative approach. Based on what I quickly saw in the toolkit source code and documentation that is the defined syntax of commands. I totally agree that if there is a solution that keeps the commands stopped, that would be preferred. I'm not an expert at that topic at all and only briefly looked into it before making my suggestion above. FYI: In that time I also have not found a generically used solution for this use case. |
|
Also, quickly based on the source code of the action runner commands are detected as follows.
So this means a simple check on the current command start suffix |
|
Thanks for the in-depth check @jdbruijn! ❤️ Your investigation seems solid, But the problem is: will it be enough to just remove those sequences from the messages, even if those are the only available options? That's why I wanted to get an official alternative. We could definitely try a workaround, but we won't be sure whether the workaround is correct or not since we're not experts in the topic, just like you said. There might be other exploits we are missing by just replacing some strings. I wish we could reach out to someone at GitHub to help us with this issue 😅 |
|
I found out one thing. If we stop "trying" to issue commands, github actions will show the output in multiple lines again. I've replaced the I also noticed that, due to the output generation logic, the action was still susceptible to the CVE-2020-15228 vulnerability. I've added PR #71 to tackle these concerns. Once github removes |
|
For reference, this is how the output looks like now (from this run):
|
That's nice, the output looks good again!
Could you please elaborate on this? I havent found reference for this in my quickly search, and would argue
They have removed these: GitHub Actions: Removing set-env and add-path commands on November 16. |
Sure! The thing is not only that specific functions of the toolkit were unsafe, but the fact that all commands need to be disabled. Think of it as "actions injection", or something like that (in a refenrece to SQL injection). The reason why github advised to completely disable command execution whenever logging untrusted information is because anyone can add any command related chars like
This is not a thing specific to the toolkit, is just that anytime you're logging any untrusted information to STDOUT you're open for other commands to be issued. I understand that the Command class applies some escaping to commands, but I don't believe this enough. Otherwise GitHub would be able to just advise "use this escaping logic to untrusted data" instead of advising to disable commands completely.
Oh that's interesting! I was searching for this but couldn't find it. I've checked the PR but it still seems a bit tricky. One could just set the |
True, a user could still set My point on the action output is that it does not print anything to the stdout explicitly, so is not vulnerable to that issue right? Sure the output could contain commands, but if it is not logged by this action it is no problem in relation to this action. If a user decides to log the output, they should do so in a safe matter themselves. I think it is then our responsibility to inform the user about potential commands in the output and reference the security issue, but the rest is on them. Just my two cents. |
It depends a bit, on forks we can edit the workflow and include the env. That's the part I was more concerned. But as you said, we can only do so much, if someone doesn't want to be exposed in any way they should disable running workflows from forks.
In order to create an output, we need to log to stdout. Creating an output is just about adding a message to stdout that contains the So considering all the scenarios that we've discussed here, I think we can summarize these concerns by doing 2 things in the end:
What do you think? |
I didn't realise, so you're absolutely right. Setting an output could still be harmful.
This would make this vulnerable to commands again, so is probably not what we want. I think we could create an issue in https://github.com/actions/toolkit/issues, to discuss how this topic should be handled with, I guess they can give good insight in what to do. |
|
That's true, maybe the toolkit collaborators can help us through this issue. Will do that! |
|
I've got an answer, looks like we're fine issuing those commands. Will add them again 🎉 |
|
Sounds good, thanks for reaching out to the toolkit collaborators! |
I followed the instructions in the readme, it is working but the output is very hard to decipher:
For example: https://github.com/boc-tothefuture/openhab-jruby/runs/1770247963?check_suite_focus=true
Is there a way to have it be multiline? It also doesn't seem to render the special characters too well.
The text was updated successfully, but these errors were encountered: