Enhance support of cache-dependency-paths outside the current directory#2
Enhance support of cache-dependency-paths outside the current directory#2priya-kinthali wants to merge 6 commits intoupdate-e2e-freethreadfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const baseDir = filePath.startsWith('**') | ||
| ? process.cwd() | ||
| : path.dirname(filePath.replace(/\*\*\/?/, '')); | ||
| const pattern = path.basename(filePath).replace('*', '.*'); |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Copilot Autofix
AI 6 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| '^' + | ||
| pattern | ||
| .replace(/\*\*/g, '.*') | ||
| .replace(/\*/g, '[^/]*') | ||
| .replace(/(\w+)\*/g, '$1(-[^/]+)?') | ||
| .replace(/\.(\w+)$/, '(\\.[^/]+)?') + | ||
| '$' |
Check failure
Code scanning / CodeQL
Regular expression injection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the issue, we need to sanitize the user input before embedding it into the regular expression. The best way to achieve this is by using a library like lodash and its _.escapeRegExp function, which escapes special characters in a string to make it safe for use in a regular expression. This ensures that any user-provided input cannot alter the intended behavior of the regular expression.
The fix involves:
- Importing the
lodashlibrary. - Using
_.escapeRegExpto sanitize thepatternvariable before embedding it into the regular expression on line 47.
| @@ -1,2 +1,3 @@ | ||
| import * as core from '@actions/core'; | ||
| import _ from 'lodash'; | ||
| import * as finder from './find-python'; | ||
| @@ -45,5 +46,6 @@ | ||
| const entries = fs.readdirSync(dir, {withFileTypes: true}); | ||
| const sanitizedPattern = _.escapeRegExp(pattern); | ||
| const regexPattern = new RegExp( | ||
| '^' + | ||
| pattern | ||
| sanitizedPattern | ||
| .replace(/\*\*/g, '.*') |
| @@ -35,3 +35,4 @@ | ||
| "@iarna/toml": "^3.0.0", | ||
| "semver": "^7.6.0" | ||
| "semver": "^7.6.0", | ||
| "lodash": "^4.17.21" | ||
| }, |
| Package | Version | Security advisories |
| lodash (npm) | 4.17.21 | None |
| const baseDir = filePath.startsWith('**') | ||
| ? process.cwd() | ||
| : path.dirname(filePath.replace(/\*\*\/?/, '')); | ||
| const pattern = path.basename(filePath).replace('*', '.*'); |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the issue, we need to ensure that all occurrences of '*' in the string path.basename(filePath) are replaced. This can be achieved by using a regular expression with the global (g) flag instead of the string-based replace method. The regular expression /\*/g will match all occurrences of '*' in the string.
The fix involves replacing the current replace call with a regular expression-based replacement. This change ensures that the resulting pattern correctly replaces all wildcard characters, aligning with the intended behavior.
| @@ -71,3 +71,3 @@ | ||
| : path.dirname(filePath.replace(/\*\*\/?/, '')); | ||
| const pattern = path.basename(filePath).replace('*', '.*'); | ||
| const pattern = path.basename(filePath).replace(/\*/g, '.*'); | ||
| resolvedPaths = traverseDir(baseDir, pattern); |
1 participant
Description:
This PR support cache-dependency-paths that are located outside the current directory, which is needed when building composite Actions.
Related issue:
setup-python#361
Check list: