pull_request_target ๐Ÿค๋กœ ์™ธ๋ถ€ ํฌํฌ๋ฅผ ๊ตฌ์ถ•ํ•  ๋•Œ ํ™˜๊ฒฝ ๋ณดํ˜ธ ๊ทœ์น™์„ ์‚ฌ์šฉํ•˜์—ฌ ๋น„๋ฐ€ ๋ณดํ˜ธ

9277 ๋‹จ์–ด securitycigithubactionspullrequest
GitHub Actions๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ถ„๊ธฐ๋œ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ์—์„œ ๋Œ์–ด์˜ค๊ธฐ ์š”์ฒญ์„ ์ž‘์„ฑํ•˜๋Š” ๊ฒƒ์€ ๋น„๋ฐ€๊ณผ ๊ด€๋ จํ•˜์—ฌ ์•ฝ๊ฐ„ ๊นŒ๋‹ค๋กœ์šธ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. documentation์— ๋”ฐ๋ผ GITHUB_TOKEN๋ฅผ ์ œ์™ธํ•˜๊ณ  ์›Œํฌํ”Œ๋กœ๊ฐ€ ํฌํฌ๋œ ์ €์žฅ์†Œ์—์„œ ํŠธ๋ฆฌ๊ฑฐ๋  ๋•Œ ๋น„๋ฐ€์ด ๋Ÿฌ๋„ˆ์—๊ฒŒ ์ „๋‹ฌ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ด๋Š” ํฌํฌ๋œ ์ €์žฅ์†Œ ๋‚ด์— ํฌํ•จ๋  ์ˆ˜ ์žˆ๋Š” ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ์ฝ”๋“œ์˜ ์ž๋™ ์‹คํ–‰์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•œ ๊ฒƒ์ž…๋‹ˆ๋‹ค.
์ฆ‰, ์›Œํฌํ”Œ๋กœ์— ํฌํ•จ๋˜์–ด์•ผ ํ•˜๋Š” ์•”ํ˜ธ๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ pull_request ํŠธ๋ฆฌ๊ฑฐ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

๋‹คํ–‰ํžˆ pull_request_target comes to rescue .

...the pull_request_target event behaves in an almost identical way to the pull_request event with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source...



์ด์ œ ๋น„๋ฐ€์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ์ง€๋งŒ ์ž˜๋ชป๋œ ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

๋ถ„๋ช…ํžˆ ๋‹ค์Œ ์ฝ”๋“œ๋กœ ์ด ๋ฌธ์ œ๋ฅผ ๊ทน๋ณตํ•˜๋ ค๋Š” ์‚ฌ๋žŒ๋“ค์ด ์žˆ์Šต๋‹ˆ๋‹ค.

#INSECURE
steps:
- uses: actions/checkout@v2
  with:
    ref: ${{ github.event.pull_request.head.sha }} # Check out the code of the PR


๋‹ค๋ฅธ ๋ณด์•ˆ ์กฐ์น˜๋ฅผ ์ทจํ•˜์ง€ ์•Š์œผ๋ฉด ์•ˆ์ „ํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— ๊ถŒ์žฅํ•˜์ง€ ์•Š์œผ๋ฉฐ ์ •๋‹นํ•ฉ๋‹ˆ๋‹ค.

GitHub์˜ ์ž์ฒด ๊ธฐ์‚ฌPreventing pwn requests์—์„œ ์ €์žJaroslav Lobaฤevski๋Š” PR์— pull_request_target ๋ ˆ์ด๋ธ”์ด ์ง€์ •๋˜์—ˆ๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ํ™•์ธํ•˜๋Š” ์กฐ๊ฑด๊ณผ ํ•จ๊ป˜ safe to test๋ฅผ ์‚ฌ์šฉํ•  ๊ฒƒ์„ ์ œ์•ˆํ•ฉ๋‹ˆ๋‹ค. ์ด์™€ ๊ฐ™์ด:

    jobs:
      build:
        name: Build and test
        runs-on: ubuntu-latest
        if: contains(github.event.pull_request.labels.*.name, 'safe to test')


์ด๊ฒƒ์€ ์™„๋ฒฝํ•˜๊ฒŒ ์œ ํšจํ•œ ์ ‘๊ทผ ๋ฐฉ์‹์ด์ง€๋งŒ ํฌํฌ๋ฅผ ๋นŒ๋“œํ•˜๋Š” ๋™์•ˆ ์Šน์ธ๋˜์ง€ ์•Š์€ ์ฝ”๋“œ ์‹คํ–‰์„ ๋ฐฉ์ง€ํ•˜๋Š” ๋” ์ข‹๊ณ  ํŽธ๋ฆฌํ•œ ๋ฐฉ๋ฒ•์„ ์ฐพ์€ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

ํ™˜๊ฒฝ ๋ณดํ˜ธ ๊ทœ์น™



๋ถˆ๊ณผ ๋ช‡ ๋‹ฌ ์ „์— GitHub๋Š” Environment protection rules ์„ ์†Œ๊ฐœํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ธฐ๋Šฅ์˜ ์ฃผ์š” ๋ชฉ์ ์€ ์ฃผ์–ด์ง„ ์กฐ๊ฑด์ด ์ถฉ์กฑ๋  ๋•Œ๊นŒ์ง€ ์›Œํฌํ”Œ๋กœ ์‹คํ–‰์„ ์ผ์‹œ ์ค‘์ง€ํ•˜๋Š” ๊ทœ์น™์„ ์ ์šฉํ•˜์—ฌ ๋ฐฐํฌ ์ค‘์— ํ™˜๊ฒฝ์„ ๋ณดํ˜ธํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์‚ฌ๋žŒ์˜ ์Šน์ธ, ํŠน์ • ์‹œ๊ฐ„ ๊ฒฝ๊ณผ ๋“ฑ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์ผ๋ฐ˜์ ์ธ ์šฉ๋„๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์šฐ๋ฆฌ์˜ ๊ฒฝ์šฐ ์ €์žฅ์†Œ ๋น„๋ฐ€์„ ๋ณดํ˜ธํ•˜๊ณ  ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ์ฝ”๋“œ์˜ ์‹คํ–‰์„ ๋ฐฉ์ง€ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉํ•  ๊ฒƒ์ž…๋‹ˆ๋‹ค.

๋นŒ๋“œ ๋ณดํ˜ธ



์‚ฌ๋žŒ์˜ ์Šน์ธ์ด ํ•„์š”ํ•œ "๋Œ์–ด์˜ค๊ธฐ ์š”์ฒญ ํ†ตํ•ฉ"์ด๋ผ๋Š” ๋”๋ฏธ ํ™˜๊ฒฝ์„ ์ถ”๊ฐ€ํ•˜๋Š” ๊ฒƒ๋ถ€ํ„ฐ ์‹œ์ž‘ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.



์šฐ๋ฆฌ์˜ ๊ธฐ๋ณธ ๋นŒ๋“œ ์ ˆ์ฐจ๋Š” ์ด ํ™˜๊ฒฝ๊ณผ ์—ฐ๊ฒฐ๋˜๋ฉฐ ๋”๋ฏธ ์›Œํฌํ”Œ๋กœ ๋‹จ๊ณ„approve๊ฐ€ ์„ ํ–‰๋˜์–ด ์›Œํฌํ”Œ๋กœ๋ฅผ ์‹œ์ž‘ํ•˜๊ณ  ํ’€ ์š”์ฒญ ์ž‘์„ฑ์ž์—๊ฒŒ ๋” ์ง„ํ–‰ํ•˜๊ธฐ ์ „์— ๊ฒ€ํ† ๊ฐ€ ํ•„์š”ํ•จ์„ ์•Œ๋ฆฝ๋‹ˆ๋‹ค.

on:
  pull_request_target:
    branches: [ master ]

jobs:
  approve: # First step
    runs-on: ubuntu-latest

    steps:
    - name: Approve
      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.

  build: # Second step
    runs-on: ubuntu-latest

    needs: [approve] # Require the first step to finish
    environment:
      name: Integrate Pull Request # Our dummy environment
    steps:
    - ...


์ด๋ ‡๊ฒŒ ํ•˜๋ฉด ๋ˆ„๊ตฐ๊ฐ€๊ฐ€ ์ œ์ถœ๋œ ์ฝ”๋“œ๋ฅผ ๊ฒ€ํ† ํ•  ๋•Œ๊นŒ์ง€ ์›Œํฌํ”Œ๋กœ๊ฐ€ ์ง„ํ–‰๋˜์ง€ ์•Š์œผ๋ฏ€๋กœ ๋‹ค์Œ ๋‹จ๊ณ„์—์„œ ์•ˆ์ „ํ•˜๊ฒŒ ${{ github.event.pull_request.head.sha }}๋ฅผ ํ™•์ธํ•˜๊ณ  ๋นŒ๋“œํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ๋นŒ๋“œ๋Š” PR์˜ ๊ธฐ๋ฐ˜๊ณผ PR์˜ ์‹ค์ œ ์ฝ”๋“œ์—์„œ ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋Š” ์›Œํฌํ”Œ๋กœ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์‹คํ–‰๋ฉ๋‹ˆ๋‹ค.

์‹ค์ œ๋กœ ์ž‘๋™ํ•˜๋Š” ๋ฐฉ์‹


  • ๋ˆ„๊ตฐ๊ฐ€ ํ’€ ์š”์ฒญ์„ ์ œ์ถœํ•˜๋ฉด ์›Œํฌํ”Œ๋กœ๊ฐ€ ํŠธ๋ฆฌ๊ฑฐ๋˜๊ณ  ์ฆ‰์‹œ ์ผ์‹œ ์ค‘์ง€๋ฉ๋‹ˆ๋‹ค.
  • ๊ฒ€ํ† ์ž ๋˜๋Š” ๊ฒ€ํ† ์ž ๊ทธ๋ฃน์ด ์ด๋ฉ”์ผ ์•Œ๋ฆผ์„ ๋ฐ›์Šต๋‹ˆ๋‹ค.
  • ๊ฒ€ํ† ์ž๊ฐ€ ๋งํฌ๋ฅผ ํด๋ฆญํ•˜๊ณ  ์ €์žฅ์†Œ๋กœ ์ด๋™ํ•˜์—ฌ ์ œ์ถœ๋œ PR์— ์›์น˜ ์•Š๋Š” ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์ง€ ์•Š์€์ง€ ํ™•์ธํ•˜๊ณ  ์ตœ์ข…์ ์œผ๋กœ ์Šน์ธํ•ฉ๋‹ˆ๋‹ค.
  • ๋นŒ๋“œ ์ง„ํ–‰
  • ๋ชจ๋“  ์Šน์ธ์ด ๊ฐ์‚ฌ๋จ

  • Codecov์— ๋Œ€ํ•œ ๋ช‡ ๋งˆ๋””



    ์ด ์›Œํฌํ”Œ๋กœ๋ฅผ ๊ตฌํ˜„ํ•˜๋Š” ๋™์•ˆ GitHub Checkout Action๊ณผ ์œ ์‚ฌํ•˜๊ฒŒ Codecov ์ž‘์—…์ด ๊ธฐ๋ณธ์ ์œผ๋กœ pointed to the PR's Base์ด๊ณ  ์žฌ์ •์˜ํ•ด์•ผ ํ•˜๋Š” ๋ฌธ์ œ์— ์ง๋ฉดํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋‹ค์Œ์„ ํ†ตํ•ด ๋‹ฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

    - name: Codecov
      uses: codecov/codecov-action@v1
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        override_pr: ${{ github.event.number }}
        override_commit: ${{ github.event.pull_request.head.sha }}
    


    ๋‹ค์Œ ๊ฒฝ๊ณ  ๋ฉ”์‹œ์ง€๋ฅผ ์ œ๊ฑฐํ•˜๋ ค๋ฉด:

    Issue detecting commit SHA. Please run actions/checkout with fetch-depth > 1 or set to 0



    ๊ฒฐ์ œ ์ž‘์—…์˜ fetch-depth๋„ 2๋กœ ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

    steps:
    - uses: actions/checkout@v2      
      with:
        fetch-depth: 2
    


    ์ฐธ๊ณ : ์กฐ๊ฑด๋ถ€ workflow step ๋ฐ shell script์„ ์‚ฌ์šฉํ•˜๋Š” ๋Œ€์ฒด ์ ‘๊ทผ ๋ฐฉ์‹์„ ์ฐพ์•˜์Šต๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์ปค๋ฐ‹ SHA๋ฅผ ์žฌ์ •์˜ํ•˜๋Š” ๊ฒƒ์ด ํ›จ์”ฌ ์‰ฝ์Šต๋‹ˆ๋‹ค.

    ์š”์•ฝ



    ์ด ์ ‘๊ทผ ๋ฐฉ์‹์˜ ์žฅ์ ์€ ๋ณด๋ฅ˜ ์ค‘์ธ ์›Œํฌํ”Œ๋กœ์— ๋Œ€ํ•œ ์ „์ž ๋ฉ”์ผ ์•Œ๋ฆผ์„ ๋ฐ›๊ณ  ํด๋ฆญ ํ•œ ๋ฒˆ์œผ๋กœ ๊ฒ€ํ†  ๋ฐ ์Šน์ธํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒ€ํ† ์ž ๊ทธ๋ฃน์„ ํ• ๋‹นํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.
    ์ œ ์ƒ๊ฐ์—๋Š” ๋ชจ๋“  ์ด๋ฒคํŠธ๊ฐ€ ๊ธฐ๋ก๋˜๊ณ  ๋ ˆ์ด๋ธ”์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ๋ณด๋‹ค ์˜๋ฏธ๋ก ์ ์œผ๋กœ ๋” ์ •ํ™•ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ํ”„๋กœ์„ธ์Šค๊ฐ€ ๋” ํˆฌ๋ช…ํ•ฉ๋‹ˆ๋‹ค.

    ์ „์ฒด ์›Œํฌํ”Œ๋กœ๋ฅผ ํƒ์ƒ‰ํ•˜๋ ค๋ฉด ๋‚ด ํ”„๋กœ์ ํŠธWopiHost๋ฅผ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค.
    pull_request_target์˜ ์„ธ๋ถ€ ์‚ฌํ•ญ์— ๋Œ€ํ•ด ์ž์„ธํžˆ ์•Œ์•„๋ณด๋ ค๋ฉด documentation๋กœ ์ด๋™ํ•˜์‹ญ์‹œ์˜ค.

    ์ข‹์€ ์›นํŽ˜์ด์ง€ ์ฆ๊ฒจ์ฐพ๊ธฐ