-
-
Notifications
You must be signed in to change notification settings - Fork 1
ci+parser+test: fix all 7 audit findings (F1-F7, sha e289021) #82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
cdbba58
df93f31
5895e08
9a08eb4
2545795
955aa64
14c48a8
c67f616
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,18 @@ | ||
| name: Bump versions | ||
|
|
||
| # Weekly: check nginx.org/angie.software for newer nginx-stable/angie | ||
| # releases than what's pinned in ci-deep.yml's build-flavors matrix, and pull | ||
| # the vendored nginx-tests submodule to its upstream HEAD. nginx mainline is | ||
| # NOT touched here -- it's resolved dynamically at CI run time (see | ||
| # build-test.yml's `resolve` job / ci-deep.yml's per-job resolve steps), so | ||
| # there's no static mainline pin to bump. | ||
| # releases than what's pinned in ci-deep.yml's build-flavors matrix. nginx | ||
| # mainline is NOT touched here -- it's resolved dynamically at CI run time | ||
| # (see build-test.yml's `resolve` job / ci-deep.yml's per-job resolve steps), | ||
| # so there's no static mainline pin to bump. | ||
| # | ||
| # tools/bump-versions.sh does the actual work (also runnable locally with | ||
| # --dry-run to preview). Commits and pushes straight to master -- this repo | ||
| # has no branch protection gate for this path, and a version/digest/submodule | ||
| # bump is exactly the kind of low-risk, easily-revertable change that doesn't | ||
| # need a human in the loop before landing. The next build-test.yml run on | ||
| # master is what actually proves the bump didn't break anything. | ||
| # --dry-run to preview). Opens a PR rather than pushing straight to master -- | ||
| # master carries a required-pull-request ruleset with no bypass actor, so a | ||
| # direct push is always rejected (audit sha e289021 F4); the bot instead | ||
| # pushes a branch and opens a PR via BUMP_PR_TOKEN (a classic PAT -- the | ||
| # default GITHUB_TOKEN cannot create PRs on myguard-labs repos). Normal | ||
| # review/required-checks still gate the merge. | ||
| # | ||
| # Action pins (keep in sync with build-test.yml): | ||
| # actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd | ||
|
|
@@ -28,36 +28,44 @@ concurrency: | |
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| contents: write | ||
| contents: read | ||
|
|
||
| jobs: | ||
| bump: | ||
| name: Bump nginx-stable/angie/nginx-tests pins | ||
| name: Bump nginx-stable/angie pins | ||
| runs-on: [self-hosted, builder02, lxc] | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| with: | ||
| persist-credentials: true | ||
| submodules: true | ||
| persist-credentials: false | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run bump script | ||
| id: bump | ||
| run: bash tools/bump-versions.sh | ||
|
|
||
| - name: Commit and push if anything changed | ||
| - name: Open PR if anything changed | ||
| env: | ||
| GH_TOKEN: ${{ secrets.BUMP_PR_TOKEN }} | ||
| run: | | ||
| set -euo pipefail | ||
| if [ -z "$(git status --porcelain)" ]; then | ||
| echo "nothing changed, skipping commit" | ||
| echo "nothing changed, skipping PR" | ||
| exit 0 | ||
| fi | ||
| branch="bump/versions-$(date -u +%Y%m%d)" | ||
| git config user.name "myguard-bump-bot" | ||
| git config user.email "actions@users.noreply.github.com" | ||
| git checkout -b "$branch" | ||
| git add -A | ||
| git commit -m "chore: bump nginx-stable/angie/nginx-tests pins | ||
| git commit -m "chore: bump nginx-stable/angie pins | ||
|
|
||
| Automated weekly version check (tools/bump-versions.sh)." | ||
| git push origin HEAD:master | ||
| git push origin "$branch" | ||
| gh pr create \ | ||
| --title "chore: bump nginx-stable/angie pins ($(date -u +%Y-%m-%d))" \ | ||
| --body "Automated weekly version check (tools/bump-versions.sh). Review the diff and let required CI checks gate the merge." \ | ||
| --base master \ | ||
| --head "$branch" | ||
|
Comment on lines
+58
to
+71
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Make the bump branch and PR flow idempotent. The date-only branch name collides whenever the workflow is rerun on the same UTC day. 🤖 Prompt for AI Agents |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,12 +2,11 @@ name: CI Deep | |
|
|
||
| # Exhaustive dynamic analysis — monthly cron + on-demand only, NEVER on PR. | ||
| # The fast PR-time gates live in standalone workflows: fuzzing.yml (120s fuzz | ||
| # regression), valgrind.yml (60s memcheck-lite soak) and security-scanners.yml | ||
| # (scanners) run on every PR/push; THIS file stays the exhaustive monthly + | ||
| # workflow_dispatch run. codeql.yml is dropped entirely: | ||
| # CodeQL / the GitHub Security tab is GitHub-Advanced-Security only and does | ||
| # nothing on a private repo, so the SARIF-upload path is removed too — the | ||
| # scanners still run and GATE on findings, they just don't upload. | ||
| # regression), valgrind.yml (60s memcheck-lite soak), security-scanners.yml | ||
| # (scanners), and codeql.yml (semantic analysis) all run on every PR/push; | ||
| # THIS file stays the exhaustive monthly + workflow_dispatch run: the | ||
| # multi-flavor build matrix (mainline/stable/angie) plus hours-long fuzzing | ||
| # and full Memcheck/Helgrind soaks that would blow the PR-gate time budget. | ||
| # | ||
| # Jobs: build-flavors (nginx mainline/stable + angie) · fuzz (14400s/target) · | ||
| # memcheck soak · helgrind soak · scanners. | ||
|
|
@@ -130,11 +129,23 @@ jobs: | |
| sudo apt-get install -y clang | ||
|
|
||
| - name: Select fuzz duration | ||
| env: | ||
| RAW_FUZZ_SECONDS: ${{ github.event.inputs.fuzz_seconds }} | ||
| run: | | ||
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | ||
| echo "FUZZ_SECS=${{ github.event.inputs.fuzz_seconds }}" >> "$GITHUB_ENV" | ||
| case "$RAW_FUZZ_SECONDS" in | ||
| ''|*[!0-9]*) | ||
| echo "::error::fuzz_seconds must be a non-negative integer, got: $RAW_FUZZ_SECONDS" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
| if [ "$RAW_FUZZ_SECONDS" -gt 14400 ]; then | ||
| echo "::error::fuzz_seconds exceeds the 14400s (4h) budget: $RAW_FUZZ_SECONDS" | ||
| exit 1 | ||
| fi | ||
| printf 'FUZZ_SECS=%s\n' "$RAW_FUZZ_SECONDS" >> "$GITHUB_ENV" | ||
|
Comment on lines
+136
to
+146
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Reject oversized numeric inputs before the The digit-only check still accepts arbitrarily long values; once they overflow the shell’s integer comparison, the 🤖 Prompt for AI Agents |
||
| else | ||
| echo "FUZZ_SECS=3600" >> "$GITHUB_ENV" | ||
| printf 'FUZZ_SECS=3600\n' >> "$GITHUB_ENV" | ||
| fi | ||
|
|
||
| - name: Build fuzz target | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -53,6 +53,15 @@ jobs: | |
| ver=$(curl -fsSL https://nginx.org/en/download.html \ | ||
| | grep -oP 'nginx-\K[0-9]+\.[0-9]+\.[0-9]+(?=\.tar\.gz)' | sort -V | tail -1) | ||
| wget -q "https://nginx.org/download/nginx-${ver}.tar.gz" | ||
| wget -q "https://nginx.org/download/nginx-${ver}.tar.gz.asc" -O "nginx-${ver}.tar.gz.asc" | ||
| gnupghome="$(mktemp -d)" | ||
| export GNUPGHOME="$gnupghome" | ||
| chmod 700 "$gnupghome" | ||
| for keyfile in "$GITHUB_WORKSPACE"/tools/keys/*.key; do | ||
| gpg --quiet --import "$keyfile" 2>/dev/null | ||
|
Comment on lines
+56
to
+61
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
echo '--- security-scanners.yml ---'
nl -ba .github/workflows/security-scanners.yml | sed -n '1,180p'
echo
echo '--- valgrind.yml ---'
nl -ba .github/workflows/valgrind.yml | sed -n '1,180p'Repository: myguard-labs/nginx-zstd-module Length of output: 238 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in [Path('.github/workflows/security-scanners.yml'), Path('.github/workflows/valgrind.yml')]:
print(f'--- {path} ---')
lines = path.read_text().splitlines()
for i, line in enumerate(lines, 1):
if 1 <= i <= 220:
print(f'{i:4}: {line}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 8976 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in [Path('.github/workflows/security-scanners.yml'), Path('.github/workflows/valgrind.yml')]:
print(f'=== {path} ===')
text = path.read_text().splitlines()
for start in [1, 41, 81, 121, 161]:
if start > len(text):
continue
end = min(start + 59, len(text))
print(f'--- lines {start}-{end} ---')
for i in range(start, end + 1):
print(f'{i:4}: {text[i-1]}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 12578 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in [Path('.github/workflows/security-scanners.yml'), Path('.github/workflows/valgrind.yml')]:
print(f'=== {path} ===')
lines = path.read_text().splitlines()
for i, line in enumerate(lines, 1):
if 'gpg' in line or 'apt' in line or 'apk' in line or 'yum' in line or 'dnf' in line or 'brew' in line or 'pacman' in line or 'zypper' in line or 'apt-get' in line:
lo = max(1, i - 8)
hi = min(len(lines), i + 8)
print(f'--- context around line {i} ---')
for j in range(lo, hi + 1):
print(f'{j:4}: {lines[j-1]}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 7933 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in [Path('.github/workflows/security-scanners.yml'), Path('.github/workflows/valgrind.yml')]:
print(f'=== {path} ===')
lines = path.read_text().splitlines()
for i, line in enumerate(lines, 1):
if any(tok in line for tok in ['gpg', 'apt', 'apk', 'yum', 'dnf', 'brew', 'pacman', 'zypper', 'apt-get']):
lo = max(1, i - 8)
hi = min(len(lines), i + 8)
print(f'--- context around line {i} ---')
for j in range(lo, hi + 1):
print(f'{j:4}: {lines[j-1]}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 7933 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in Path('.github/workflows').glob('*.yml'):
text = path.read_text()
if 'gpg' in text or 'gnupg' in text:
print(f'=== {path} ===')
for i, line in enumerate(text.splitlines(), 1):
if 'gpg' in line or 'gnupg' in line:
print(f'{i:4}: {line}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 2281 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
for path in Path('.').rglob('*'):
if path.is_file() and path.suffix in {'.yml', '.yaml', '.md', '.txt'}:
try:
text = path.read_text()
except Exception:
continue
if 'gpg' in text or 'gnupg' in text:
print(f'=== {path} ===')
for i, line in enumerate(text.splitlines(), 1):
if 'gpg' in line or 'gnupg' in line:
print(f'{i:4}: {line}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 2281 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
patterns = ['gnupg', 'gpg', 'builder02', 'lxc', 'self-hosted', 'apt-get install -y', 'apt install -y']
for path in Path('.').rglob('*'):
if not path.is_file():
continue
if path.suffix.lower() not in {'.yml', '.yaml', '.md', '.txt', '.adoc'}:
continue
try:
lines = path.read_text(errors='ignore').splitlines()
except Exception:
continue
hits = []
for i, line in enumerate(lines, 1):
if any(p in line for p in patterns):
hits.append((i, line))
if hits:
print(f'=== {path} ===')
for i, line in hits[:80]:
print(f'{i:4}: {line}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 4408 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
targets = [Path('README.md'), Path('docs'), Path('.github')]
for root in targets:
if root.is_file():
paths = [root]
elif root.is_dir():
paths = [p for p in root.rglob('*') if p.is_file()]
else:
continue
for path in paths:
try:
text = path.read_text(errors='ignore')
except Exception:
continue
if any(k in text.lower() for k in ['gpg', 'gnupg', 'builder02', 'lxc', 'self-hosted runner', 'runner image', 'preinstalled']):
print(f'=== {path} ===')
for i, line in enumerate(text.splitlines(), 1):
if any(k in line.lower() for k in ['gpg', 'gnupg', 'builder02', 'lxc', 'self-hosted runner', 'runner image', 'preinstalled']):
print(f'{i:4}: {line}')
print()
PYRepository: myguard-labs/nginx-zstd-module Length of output: 3490 Install 📍 Affects 2 files
🤖 Prompt for AI Agents |
||
| done | ||
| gpg --quiet --verify "nginx-${ver}.tar.gz.asc" "nginx-${ver}.tar.gz" | ||
| rm -rf "$gnupghome" | ||
|
Comment on lines
+57
to
+64
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '\n== security-scanners.yml ==\n'
sed -n '1,180p' .github/workflows/security-scanners.yml
printf '\n== valgrind.yml ==\n'
sed -n '1,180p' .github/workflows/valgrind.ymlRepository: myguard-labs/nginx-zstd-module Length of output: 7796 Install an EXIT trap for A failed key import or signature check skips the final
📍 Affects 2 files
🤖 Prompt for AI Agents |
||
| tar -xzf "nginx-${ver}.tar.gz"; cd "nginx-${ver}" | ||
| CC=gcc ./configure --with-compat --add-dynamic-module="$GITHUB_WORKSPACE" >/dev/null | ||
| echo "NGINX_SRC_TREE=$PWD" >> "$GITHUB_ENV" | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
sed -n '1,220p' .github/workflows/bump.ymlRepository: myguard-labs/nginx-zstd-module
Length of output: 2744
🏁 Script executed:
Repository: myguard-labs/nginx-zstd-module
Length of output: 3170
🏁 Script executed:
sed -n '1,220p' tools/bump-versions.shRepository: myguard-labs/nginx-zstd-module
Length of output: 7599
Authenticate git before the push.
persist-credentials: falseremoves checkout’s credential helper, sogit push origin "$branch"needs a git auth step afterGH_TOKENis set (gh auth setup-gitor equivalent). EnsureBUMP_PR_TOKENcan write to the repo.🤖 Prompt for AI Agents